2018-03-22 12:19:32 +07:00
|
|
|
# 6.1.13 pwn 34C3CTF2017 readme_revenge
|
|
|
|
|
|
|
|
|
|
- [题目复现](#题目复现)
|
|
|
|
|
- [题目解析](#题目解析)
|
|
|
|
|
- [参考资料](#参考资料)
|
|
|
|
|
|
|
|
|
|
|
2018-04-08 08:43:42 +07:00
|
|
|
[下载文件](../src/writeup/6.1.13_pwn_34c3ctf2017_readme_revenge)
|
2018-03-22 12:19:32 +07:00
|
|
|
|
|
|
|
|
## 题目复现
|
|
|
|
|
```
|
|
|
|
|
$ file readme_revenge
|
|
|
|
|
readme_revenge: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=2f27d1b57237d1ab23f8d0fc3cd418994c5b443d, not stripped
|
|
|
|
|
$ checksec -f readme_revenge
|
|
|
|
|
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
|
|
|
|
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 3 45 readme_revenge
|
|
|
|
|
```
|
|
|
|
|
与我们经常接触了题目不同,这是一个静态链接程序,运行时不需要加载 libc。not stripped 也为调试提供了便利。
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ ./readme_revenge
|
|
|
|
|
aaaa
|
|
|
|
|
Hi, aaaa. Bye.
|
|
|
|
|
$ ./readme_revenge
|
|
|
|
|
%x.%d.%p
|
|
|
|
|
Hi, %x.%d.%p. Bye.
|
|
|
|
|
$ python -c 'print "A"*2000' | ./readme_revenge
|
|
|
|
|
Segmentation fault (core dumped)
|
|
|
|
|
```
|
|
|
|
|
我们试着给它输入一些字符,结果被原样打印出来,而且看起来也不存在格式化字符串漏洞。但当我们输入大量字符时,触发了段错误,这倒是一个好消息。
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## 题目解析
|
|
|
|
|
|
|
|
|
|
## 参考资料
|
|
|
|
|
https://ctftime.org/task/5135
|
