[BMZCTF-pwn] 12-csaw-ctf-2016-quals hungman

Guess this question or 2.23 （ I'm not going to do it , None of the above questions has a remote environment , And these seem to have been done ）

This is a silly word game. The data structure is like this ：

1. chunk0 Write the largest name you enter 0xf8( It can be small )
2. Program record ：4 Byte record ,4 Byte name length ,8 Byte name chunk0 The pointer to
3. A random number as long as its name

Enter your name first , Then line it into random numbers , Then wait for characters , If there is the same score , altogether 26 How can it be the same if you lose all , When the maximum record is exceeded, the name can be modified （ There is an overflow ）

      puts("High score! change name?");
      __isoc99_scanf(" %c", &v3);
      if ( v3 == 121 )
      {
        s = malloc(0xF8uLL);
        memset(s, 0, 0xF8uLL);
        v8 = read(0, s, 0xF8uLL);
        *(_DWORD *)(a1 + 4) = v8;
        v14 = strchr((const char *)s, 10);
        if ( v14 )
          *v14 = 0;
        memcpy(*(void **)(a1 + 8), s, v8);  // Name length is less than F8 when , You can enter F8 Overflow to record 
        free(s);

It's easy to control the overflow to the pointer

Overflow first, write the pointer as got An address of the table , The following output will output the value , So you get libc Address .

The question is which to write , According to the later function call, you can use snprintf and strchr, After looking at the original one, I used libc_start_main

strchr Just use it here once , Let's start with the leak libc Change it to system, Enter next time /bin/sh

Write libc_start_main Then there is gmon_start and memcpy Write here /bin/sh\0,0,system In fact, it uses system cover memcpy In execution memcpy The inner parameter is exactly /bin/sh（ This is a coincidence ）

If you use snprintf You can also restore the whole got Watch then turn /bin/sh writes 602100

printf Words , Didn't try to write one_gadget Maybe it's ok