所以我们读6161616b
偏移量是40,起飞
step5 exp搞起
整体思路:
一个全局变量一个main函数一个局部变量
两个get
第一个get把他覆盖到输入,栈的返回值覆盖到全局变量的入口处,第二个get输入我们的shellcode
注意选用全局变量存放shellcode,就要考虑是否有权限
exp理解:
程序是64位的,os是linux的,所以我们要告诉电脑
offset是40,我们上面cyclic求的
shellcode是自动生成的
grep可以找到buf2,这里我们用其他的方式来找ELF()+symbols[]
一个get的payload使我们指向buf2
第二个get利用shellcode来getshell
因为程序有交互,p.recvuntil(’: '),的意思就是直到程序输出的内容含有:+空格再继续向下发送信息
希望大家可以有所收获!!!
![[PWN][高级篇]ROP-ret2libc-32/64位实例 (共四个)(上)](https://ucc.alicdn.com/pic/developer-ecology/96b3bb9db6d7479785f5d31e9c27a24a.png?x-oss-process=image/resize,h_160,m_lfit)
——内核常见调试手段(printf、dump_stack、devmem)](https://ucc.alicdn.com/pic/developer-ecology/je52eorcpmkr4_594a826229444cedaa059c330bc75e43.png?x-oss-process=image/resize,h_160,m_lfit)
![[PWN][进阶篇]ROP_Ret2Shellcode-32实例(下)](https://ucc.alicdn.com/pic/developer-ecology/72717981f16f45b2b8bbac48f04b5810.png?x-oss-process=image/resize,h_160,m_lfit)
![[PWN][进阶篇]ROP_Ret2Shellcode-32实例(上)](https://ucc.alicdn.com/pic/developer-ecology/fac4985ac26445a0bdd73c074b9871b0.png?x-oss-process=image/resize,h_160,m_lfit)
![[PWN][进阶篇]ROP-Ret2Shellcode-64位实例(上)](https://ucc.alicdn.com/pic/developer-ecology/34cdd970fd234556b672f343db2f62e6.png?x-oss-process=image/resize,h_160,m_lfit)
![[PWN][高级篇]ROP-ret2libc-32/64位实例 (共四个)(下)](https://ucc.alicdn.com/pic/developer-ecology/083ab68ffa4942409f7e9c6399a955b8.png?x-oss-process=image/resize,h_160,m_lfit)
![[PWN][高级篇]ROP-ret2libc基础知识](https://ucc.alicdn.com/pic/developer-ecology/4bbb345c1edd4425a6e7b42eed3f06da.png?x-oss-process=image/resize,h_160,m_lfit)
![[PWN][进阶篇]Rop-Ret2Text介绍及实例教学](https://ucc.alicdn.com/pic/developer-ecology/2e0fa6b933ee4f5fb758d032b4878465.png?x-oss-process=image/resize,h_160,m_lfit)