CTF-All-In-One/doc/6.1.12_pwn_n1ctf2018_vote.md
2018-08-05 17:43:10 +08:00

50 lines
1.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 6.1.12 pwn N1CTF2018 vote
- [题目复现](#题目复现)
- [题目解析](#题目解析)
- [漏洞利用](#漏洞利用)
- [参考资料](#参考资料)
[下载文件](../src/writeup/6.1.12_pwn_n1ctf2018_vote)
## 题目复现
这个题目给了二进制文件和 libc
```text
$ file vote
vote: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=53266adcfdcb7b21a01e9f2a1cb0396b818bfba3, stripped
$ checksec -f vote
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 4 vote
```
看起来就是个堆利用的问题:
```text
$ ./vote
0: Create
1: Show
2: Vote
3: Result
4: Cancel
5: Exit
Action:
```
然后就可以把它运行起来了:
```text
$ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./vote" &
```
另外出题人在 github 开源了题目的代码,感兴趣的也可以看一下。
## 题目解析
## 漏洞利用
## 参考资料
- <https://ctftime.org/task/5490>