One 、 see file

First file ./pwn1_sctf_2016 Check the file type and then checksec --file=pwn1_sctf_2016 Check the file protection .

Two 、IDA Decompile

use IDA Pro 32bit open pwn1_sctf_2016 Post press F5 Disassemble the source code and check the main function , Find out vuln() function .

double-click vuln() Function view source code , Found after analysis fgets() Function limits input 32 Bytes to variable s in , At first glance, it does not exceed the available stack size .
Press again F5 Later found that 19 Yes replace() The function will put the input I Replace with you,1 Characters become 3 Characters . And in the 27 Guild to the original s Variable reassignment .
stay Functions window You can see there's one get_flag() function , Press F5 Disassembly shows that this is a system call , And get_flag() The starting address of the function is 0x8048F0D.

Check the stack structure and find s The length of is 0x3c, namely 60 Bytes , Input is limited to 32 Within bytes , Every I Can be replaced by you, So the input 60÷3=20 individual I You can overflow the stack , then db 4 dup(?) We still need to take 4 Bytes of memory , Then add get_flag() Starting address of the function 0x8048F0D constitute payload.

3、 ... and 、 Code

from pwn import *
# remote() Establish a remote connection , To specify ip and port
io = remote('node4.buuoj.cn', 25314)
payload = b'I'*20 + b'a'*0x4 + p32(0x8048F0D)
io.sendline(payload) # send data 
io.interactive() # And shell Interact 

summary

The situation of this topic is that there are more functions to replace characters , Make a I In storage, it becomes you, One byte becomes three bytes , At this time, we need to determine how many characters make the stack overflow according to the situation .

Or the normal process , But the title has begun to change , I'm still in a vague state ,
harm , Vegetable dog son still needs efforts .